This issue was originally reported in March 2018 and patched in Werkzeug master on June 6th. There are currently no known active exploits of this vulnerability.
CVE-2018-1000113 - Improper parsing of HTTP requests in Werkzeug v2.1.0 and below might allow attackers to inject arbitrary HTTP requests into an application with a crafted request. This can be exploited for various attack vectors, such as Clickjacking and XSS.
CVE-2018-1000001 - Incorrect HTTP response splitting in Werkzeug v2.1.0 and below might allow attackers to inject arbitrary HTTP requests into an application with a crafted response. This can be exploited for various attack vectors, such as Clickjacking and XSS.
CVE-2018-1000007 - Incorrect HTTP response splitting in Werkzeug v2.1.0 and below might allow attackers to inject arbitrary HTTP requests into an application with a crafted response. This can be exploited for various attack vectors, such as Clickjacking and XSS.
CVE-2018-1000001 - Incorrect HTTP response splitting in Werkzeug v2.1.0 and below might allow attackers to inject arbitrary HTTP requests into an application with a crafted response. This can be exploited for various attack vectors, such as Clickjacking and XSS.
CVE-2018-1000001 - Incorrect HTTP response splitting in Werkzeug v2
Coverage
This vulnerability is exposed in Werkzeug v2.1.0 and below, which is currently a part of the python package index on PyPi. This issue was originally reported in March 2018 and fixed in Werkzeug master on June 6th. There are currently no known active exploits of this vulnerability.
Overall security impact
This vulnerability was found in Werkzeug. It's a new security flaw. The good news is that it has already been fixed in the most recent release, so it won't affect your current installation of Werkzeug.
Werkzeug v2: Improper parsing of HTTP requests could allow attackers to inject arbitrary HTTP requests into an application with a crafted request - Clickjacking and XSS.
Werkzeug v2: Incorrect response splitting might allow attackers to inject arbitrary HTTP requests into an application with a crafted response - Clickjacking and XSS.
Dependencies :
Werkzeug v2.0.0
Werkzeug v1.9.3
Werkzeug v1.8.3
Werkzeug v1.7.3
Werkzeug v1.6
werkz-py-pkg_resources-0.5
Timeline
Published on: 05/25/2022 01:15:00 UTC
Last modified on: 06/07/2022 21:01:00 UTC