CVE-2022-29361
HTTP Request Smuggling vulnerability in werkzeug
What is CVE-2022-29361 About?
This vulnerability is an HTTP Request Smuggling flaw in Pallets Werkzeug v2.1.0 and below, caused by improper parsing of HTTP requests. Attackers can perform request smuggling using specifically crafted HTTP requests, potentially leading to cache poisoning or unauthorized access, though the vendor disputes its relevance in supported configurations.
Affected Software
- werkzeug
- <2.1.1
- <9a3a981d70d2e9ec3344b5192f86fcaf3210cd85
Technical Details
Pallets Werkzeug versions up to and including 2.1.0 contain a vulnerability related to improper parsing of HTTP requests. This allows an attacker to perform HTTP Request Smuggling. By crafting a malformed HTTP request that includes multiple requests within its body, discrepancies in how a front-end proxy/load balancer and the vulnerable Werkzeug backend parse the request can lead to desynchronization. This desynchronization allows an attacker to prepend a malicious request to another user's legitimate request, potentially bypassing security controls, poisoning caches, or gaining unauthorized access. The vendor disputes this, stating it only occurs in unsupported configurations involving development mode and specific external HTTP servers.
What is the Impact of CVE-2022-29361?
Successful exploitation may allow attackers to bypass security controls, perform cache poisoning, or gain unauthorized access to resources.
What is the Exploitability of CVE-2022-29361?
Exploitation complexity is moderate to high, requiring a nuanced understanding of HTTP protocol specifics and how different servers/proxies handle ambiguous request parsing. Prerequisites include the presence of a vulnerable Werkzeug server (v2.1.0 or below) behind an intermediary proxy or load balancer that interprets HTTP requests differently than Werkzeug. No authentication or specific privileges are required on the target application itself, as the attack targets the parsing discrepancies between network components. This is a remote attack. Special conditions, as noted by the vendor, imply this is exploitable mainly in development environments or with unsupported HTTP server setups, which could limit real-world impact. Risk factors increase if the application is deployed in a complex HTTP infrastructure with multiple layers of request processing, especially with non-standard configurations.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| kevin-mizu | Link | PoC for CVE-2022-29361 |
| l3ragio | Link | PoC for CVE-2022-29361 |
What are the Available Fixes for CVE-2022-29361?
Available Upgrade Options
- werkzeug
- <2.1.1 → Upgrade to 2.1.1
- werkzeug
- <9a3a981d70d2e9ec3344b5192f86fcaf3210cd85 → Upgrade to 9a3a981d70d2e9ec3344b5192f86fcaf3210cd85
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pallets/werkzeug/issues/2420
- https://github.com/pallets/werkzeug/commit/9a3a981d70d2e9ec3344b5192f86fcaf3210cd85
- https://github.com/pallets/werkzeug/commit/9a3a981d70d2e9ec3344b5192f86fcaf3210cd85
- https://github.com/pallets/werkzeug/issues/2420
- https://osv.dev/vulnerability/PYSEC-2022-203
What are Similar Vulnerabilities to CVE-2022-29361?
Similar Vulnerabilities: CVE-2021-33200 , CVE-2020-11005 , CVE-2019-17495 , CVE-2023-28430 , CVE-2020-0010
