CVE-2022-29361
9.8
CRITICAL
CVSS 3.1
EPSS 31.1%
Description
Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform HTTP Request Smuggling using a crafted HTTP request with multiple requests included inside the body. NOTE: the vendor's position is that this behavior can only occur in unsupported configurations involving development mode and an HTTP server from outside the Werkzeug project
How to fix CVE-2022-29361
To remediate CVE-2022-29361, upgrade the affected package to a fixed version below.
- —upgrade to 2.2.2-r0 or later
- —upgrade to 9a3a981d70d2e9ec3344b5192f86fcaf3210cd85 or later
Is CVE-2022-29361 being exploited?
Moderate — EPSS is 31.1%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (2)
- from 0, < 2.2.2-r0
- from 0, < 9a3a981d70d2e9ec3344b5192f86fcaf3210cd85 | from 0, < 2.1.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |