CVE-2023-23934

Description

Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad` for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie `=__Host-test=bad` as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3.

How to fix CVE-2023-23934

To remediate CVE-2023-23934, upgrade the affected package to a fixed version below.

• —upgrade to 1.0.1+dfsg1-2+deb11u1 or later
• —upgrade to 0.14.1+dfsg1-4+deb10u2 or later
• —upgrade to 1.0.1+dfsg1-2+deb11u1 or later
• —upgrade to 2.2.3 or later
• —upgrade to cf275f42acad1b5950c50ffe8ef58fe62cdce028 or later

Is CVE-2023-23934 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

• from 0, < 1.0.1+dfsg1-2+deb11u1
• from 0, < 0.14.1+dfsg1-4+deb10u2
• from 0, < 1.0.1+dfsg1-2+deb11u1
• from 0, < 2.2.3
• from 0, < cf275f42acad1b5950c50ffe8ef58fe62cdce028 | from 0, < 2.2.3

CVSS scores

References (9)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-23934
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-23934
• PATCHgithub.com/pallets/werkzeug
• WEBgithub.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028
• WEB