CVE-2023-23934
Cross-subdomain cookie manipulation vulnerability in werkzeug (PyPI)
What is CVE-2023-23934 About?
This vulnerability in Werkzeug allows attackers on an adjacent subdomain to manipulate 'nameless' cookies that are parsed incorrectly by older versions of Werkzeug. This can lead to a Werkzeug application receiving an attacker-controlled cookie value for a legitimate key. Exploitation is medium difficulty, requiring specific browser behavior and a malicious adjacent subdomain.
Affected Software
- werkzeug
- <cf275f42acad1b5950c50ffe8ef58fe62cdce028
- <2.2.3
Technical Details
Werkzeug versions prior to 2.2.3 are vulnerable to improper parsing of 'nameless' cookies, which appear as =value. Modern browsers may allow such cookies. If a vulnerable browser encounters a compromised or malicious application on an adjacent subdomain (e.g., mail.example.com while the target is app.example.com), the malicious subdomain can set a cookie structured like =__Host-test=bad. When the browser accesses the target Werkzeug application, it incorrectly sends this cookie. Werkzeug's vulnerable parsing logic interprets this as __Host-test=bad, effectively assigning 'bad' to the cookie key __Host-test. This allows an attacker to inject arbitrary, malicious values into specific cookie keys, potentially leading to session hijacking, privilege escalation, or other unauthorized actions if the target application relies on the integrity of those cookie values.
What is the Impact of CVE-2023-23934?
Successful exploitation may allow attackers to inject malicious cookie values into a target application, leading to session hijacking, unauthorized access, or manipulation of application state.
What is the Exploitability of CVE-2023-23934?
Exploitation of this vulnerability is complex, requiring a specific combination of conditions: a vulnerable Werkzeug application, an adjacent subdomain controlled by an attacker, and a browser exhibiting the 'nameless' cookie behavior. No specific authentication is required at the target Werkzeug application for the cookie manipulation itself, but the attacker needs control over a separate, adjacent subdomain. This is a remote attack. Constraints include the need for a 'vulnerable' browser and successful compromise or control of a subdomain. The risk increases if the target application relies heavily on cookie values for security-sensitive operations without adequate validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-23934?
About the Fix from Resolved Security
Available Upgrade Options
- werkzeug
- <cf275f42acad1b5950c50ffe8ef58fe62cdce028 → Upgrade to cf275f42acad1b5950c50ffe8ef58fe62cdce028
- werkzeug
- <2.2.3 → Upgrade to 2.2.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.debian.org/security/2023/dsa-5470
- https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q
- https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028
- https://github.com/pallets/werkzeug/releases/tag/2.2.3
- https://nvd.nist.gov/vuln/detail/CVE-2023-23934
- https://osv.dev/vulnerability/GHSA-px8h-6qxv-m22q
- https://github.com/pypa/advisory-database/tree/main/vulns/werkzeug/PYSEC-2023-57.yaml
- https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q
- https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028
- https://github.com/pallets/werkzeug/releases/tag/2.2.3
What are Similar Vulnerabilities to CVE-2023-23934?
Similar Vulnerabilities: CVE-2020-13692 , CVE-2021-23377 , CVE-2021-29465 , CVE-2020-5398 , CVE-2020-7798
