notification-api icon indicating copy to clipboard operation
notification-api copied to clipboard

Published 20 hours ago verified publisher icon cds-snc

fix(deps): update dependency werkzeug to v3 [security]

Open renovate[bot] opened this issue 1 year ago • 2 comments

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
Werkzeug (changelog) 2.3.7 -> 3.0.3 age adoption passing confidence

Review

  • [ ] Updates have been tested and work
  • [ ] If updates are AWS related, versions match the infrastructure (e.g. Lambda runtime, database, etc.)

GitHub Vulnerability Alerts

CVE-2023-46136

Werkzeug multipart data parser needs to find a boundary that may be between consecutive chunks. That's why parsing is based on looking for newline characters. Unfortunately, code looking for partial boundary in the buffer is written inefficiently, so if we upload a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer.

This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.

CVE-2024-34069

The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger.

Configuration

📅 Schedule: Branch creation - "" in timezone America/Montreal, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • [ ] If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

renovate[bot] avatar Oct 25 '23 15:10 renovate[bot]