CVE-2022-29361 — HTTP Request Smuggling in Werkzeug

CWE-444 — HTTP Request Smuggling7 documents6 sources

Severity

9.8CRITICALNVD

EPSS

31.1%

top 3.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Palletsprojects Werkzeug

Timeline

PublishedMay 25

Latest updateJul 15

Description

Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform HTTP Request Smuggling using a crafted HTTP request with multiple requests included inside the body. NOTE: the vendor's position is that this behavior can only occur in unsupported configurations involving development mode and an HTTP server from outside the Werkzeug project

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶PyPIpalletsprojects/werkzeug< 9a3a981d70d2e9ec3344b5192f86fcaf3210cd85+1

▶NVDpalletsprojects/werkzeug2.1.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-7wxw-4483-3m34: Improper parsing of HTTP requests in Pallets Werkzeug v2↗2022-05-26

▶

OSV

CVE-2022-29361: Improper parsing of HTTP requests in Pallets Werkzeug v2↗2022-05-25

▶

OSV

CVE-2022-29361: ** DISPUTED ** Improper parsing of HTTP requests in Pallets Werkzeug v2↗2022-05-25

▶

CVEList

CVE-2022-29361: Improper parsing of HTTP requests in Pallets Werkzeug v2↗2022-05-24

▶

📋Vendor Advisories

Oracle

Oracle Oracle Analytics Risk Matrix: Analytics Server (Werkzeug) — CVE-2022-29361↗2023-07-15

▶

Red Hat

python-Werkzeug: HTTP Request Smuggling↗2022-05-25

▶