flask-restx icon indicating copy to clipboard operation
flask-restx copied to clipboard

Published 20 hours ago verified publisher icon python-restx

CVE-2022-29361: Werkzeug v2.1.0 and below allows attackers to perform HTTP Request Smuggling

Open ntatsumi opened this issue 2 years ago • 2 comments

Vulnerability report

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29361

Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform HTTP Request Smuggling using a crafted HTTP request with multiple requests included inside the body. NOTE: the vendor's position is that this behavior can only occur in unsupported configurations involving development mode and an HTTP server from outside the Werkzeug project.

Repro Steps (if applicable)

  1. Use Werkzeug version 2.1.1+, which has the vulnerability fix as a dependency and run the app
  2. Broken!

Expected Behavior

The flask app running without producing any error.

Actual Behavior

ImportError is raised.

Error Messages/Stack Trace

_______________________________________ ERROR collecting test session ________________________________________
../../../opt/anaconda3/lib/python3.8/importlib/__init__.py:127: in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
<frozen importlib._bootstrap>:1014: in _gcd_import
    ???
<frozen importlib._bootstrap>:991: in _find_and_load
    ???
<frozen importlib._bootstrap>:975: in _find_and_load_unlocked
    ???
<frozen importlib._bootstrap>:671: in _load_unlocked
    ???
../../../opt/anaconda3/lib/python3.8/site-packages/_pytest/assertion/rewrite.py:171: in exec_module
    exec(co, module.__dict__)
app/tests/conftest.py:2: in <module>
    from flask.testing import FlaskClient
../../../opt/anaconda3/lib/python3.8/site-packages/flask/__init__.py:21: in <module>
    from .app import Flask
../../../opt/anaconda3/lib/python3.8/site-packages/flask/app.py:32: in <module>
    from werkzeug.wrappers import BaseResponse
E   ImportError: cannot import name 'BaseResponse' from 'werkzeug.wrappers'

Environment

  • Python version: 3.8.12
  • Flask version: 1.1.1
  • Flask-RESTX version: 0.5.1
  • Other installed Flask extensions: Werkzeug: 2.1.1+

Additional Context

Even though the vulnerability is disputed. It is still a vulnerability that is picked up by the vulnerability scans as a CRITICAL level one. This prevents many organizations from being able to use @flask-restx.

ntatsumi avatar Jun 14 '22 05:06 ntatsumi

Hi, you can try my restx-monkey to patch for latest Werkzeug and flask compatibility.

Ryu-CZ avatar Aug 31 '22 14:08 Ryu-CZ

Turns out the dispute over this CVE-2022-29361 is because there's a development only http server, that when running in development mode outside of the wurkzeug's project's hands, exposes users to a vulnerability (I guess. That's my read of the situation.) It's got nothing to do with wurkzeug and there's nothing they can do to "fix" what isn't broken. Also, the maintainer appears to be fed up with CVE disputes because they lead nowhere and are opened and fingers are pointed and there's no good resolution process (shrug).

That said, the maintainers of wurkzeug say to update your software anyway because it's good practice, I guess.

https://github.com/pallets/werkzeug/issues/2420 https://github.com/pallets/werkzeug/issues/2431

activedecay avatar Sep 09 '22 21:09 activedecay