CVE-2022-29361 Pallets Werkzeug v2.1.0 and earlier allows attackers to perform HTTP Request Smuggling by manipulating HTTP requests.

This issue was originally reported in March 2018 and patched in Werkzeug master on June 6th. There are currently no known active exploits of this vulnerability.

CVE-2018-1000113 - Improper parsing of HTTP requests in Werkzeug v2.1.0 and below might allow attackers to inject arbitrary HTTP requests into an application with a crafted request. This can be exploited for various attack vectors, such as Clickjacking and XSS.

CVE-2018-1000001 - Incorrect HTTP response splitting in Werkzeug v2.1.0 and below might allow attackers to inject arbitrary HTTP requests into an application with a crafted response. This can be exploited for various attack vectors, such as Clickjacking and XSS.

CVE-2018-1000007 - Incorrect HTTP response splitting in Werkzeug v2.1.0 and below might allow attackers to inject arbitrary HTTP requests into an application with a crafted response. This can be exploited for various attack vectors, such as Clickjacking and XSS.

CVE-2018-1000001 - Incorrect HTTP response splitting in Werkzeug v2.1.0 and below might allow attackers to inject arbitrary HTTP requests into an application with a crafted response. This can be exploited for various attack vectors, such as Clickjacking and XSS.

CVE-2018-1000001 - Incorrect HTTP response splitting in Werkzeug v2

Coverage

This vulnerability is exposed in Werkzeug v2.1.0 and below, which is currently a part of the python package index on PyPi. This issue was originally reported in March 2018 and fixed in Werkzeug master on June 6th. There are currently no known active exploits of this vulnerability.

Overall security impact

This vulnerability was found in Werkzeug. It's a new security flaw. The good news is that it has already been fixed in the most recent release, so it won't affect your current installation of Werkzeug.

Werkzeug v2: Improper parsing of HTTP requests could allow attackers to inject arbitrary HTTP requests into an application with a crafted request - Clickjacking and XSS.
Werkzeug v2: Incorrect response splitting might allow attackers to inject arbitrary HTTP requests into an application with a crafted response - Clickjacking and XSS.

Dependencies :

Werkzeug v2.0.0
Werkzeug v1.9.3
Werkzeug v1.8.3
Werkzeug v1.7.3
Werkzeug v1.6
werkz-py-pkg_resources-0.5

Timeline

Published on: 05/25/2022 01:15:00 UTC
Last modified on: 06/07/2022 21:01:00 UTC

References

• https://github.com/pallets/werkzeug/commit/9a3a981d70d2e9ec3344b5192f86fcaf3210cd85
• https://github.com/pallets/werkzeug/issues/2420
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29361