CVE-2024-49767

25.10.2024, 20:15

Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively simple but effective resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds. Werkzeug version 3.0.6 fixes this issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_M	CNA	---				---
CISA-ADP	ADP	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 74%

Vendor	Product	Version
palletsprojects	quart	𝑥 < 0.19.7
palletsprojects	werkzeug	𝑥 < 3.0.6

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

python-werkzeug

bullseye	1.0.1+dfsg1-2+deb11u1 postponed
bookworm	2.2.2-3+deb12u1 no-dsa
bullseye (security)	1.0.1+dfsg1-2+deb11u2 fixed
sid	3.1.3-2 fixed
trixie	3.1.3-2 fixed

quart

bullseye	postponed
bookworm	no-dsa
sid	0.20.0-1 fixed
trixie	0.20.0-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

python-werkzeug

plucky	Fixed 3.0.4-1ubuntu1 released
oracular	Fixed 3.0.3-1ubuntu0.1 released
noble	Fixed 3.0.1-3ubuntu0.2 released
jammy	Fixed 2.0.2+dfsg1-1ubuntu0.22.04.3 released
focal	not-affected
bionic	not-affected
xenial	not-affected

quart

plucky	needs-triage
oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	dne

Common Weakness Enumeration

CWE-400 - Uncontrolled Resource Consumption
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References

https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee

https://github.com/pallets/quart/commit/abb04a512496206de279225340ed022852fbf51f

https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b

https://github.com/pallets/werkzeug/releases/tag/3.0.6

https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2

https://security.netapp.com/advisory/ntap-20250103-0007/