AZL-13589

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-13589.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-13589

Upstream

CVE-2023-23934

Published

2023-02-14T20:15:17Z

Modified

2026-04-01T05:07:41.708175Z

Severity

3.5 (Low) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator

Summary

CVE-2023-23934 affecting package python-werkzeug for versions less than 2.2.3-1

Details

Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like =value instead of key=value. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like =__Host-test=bad for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie =__Host-test=bad as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3.

References

https://nvd.nist.gov/vuln/detail/CVE-2023-23934

Affected packages

Azure Linux:2 / python-werkzeug

Package

Name: python-werkzeug
Purl: pkg:rpm/azure-linux/python-werkzeug

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.2.3-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-13589.json"