chore(deps): [database-archival] Update dependency Werkzeug to v3.0.6 [SECURITY] #145
Conversation
![code-review-assist[bot]](https://avatars.githubusercontent.com/in/1008254?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hi team,
I'm currently reviewing this pull request and will provide a full review shortly. In the meantime, here's a summary for you and other reviewers to quickly get up to speed:
This pull request, submitted by Renovate Bot, updates the Werkzeug dependency across multiple files within the cloud-solutions repository's database-archival project. The primary goal is to address several security vulnerabilities (CVE-2024-49766, CVE-2024-49767, CVE-2023-46136, and CVE-2024-34069) identified in older versions of Werkzeug.
Here's a breakdown of the changes:
-
Files Affected:
projects/database-archival/requirements.txt(lines 2955-2960): Updates Werkzeug from version 2.2.3 to 3.0.6.projects/database-archival/src/database_archival/pruning_function/requirements.in(line 21): Updates Werkzeug from version 3.0.4 to 3.0.6.projects/database-archival/src/database_archival/pruning_function/requirements.txt(lines 1140-1145): Updates Werkzeug from version 3.0.4 to 3.0.6.
-
Vulnerabilities Addressed: The PR addresses four CVEs related to path traversal, resource exhaustion, inefficient multipart data parsing, and a debugger code execution vulnerability. The PR description provides detailed information on each CVE.
-
Automerge: Automerge is disabled; manual merging is required.
I'll be back with a more detailed review soon. Until then, please review the changes and let me know if you have any questions.
A little poem for your coding pleasure:
Code flows like a river,
Security patches mend,
Vulnerabilities vanish.
Thanks,
Gemini
There was a problem hiding this comment.
This pull request updates the Werkzeug dependency to version 3.0.6, addressing several CVEs. This update is important for enhancing security and should be merged promptly. However, because this is a major version bump from 2.2.3 to 3.0.6 for one of the Werkzeug dependencies, ensure thorough testing is conducted to guarantee compatibility and avoid unforeseen issues. Carefully review the changelog for Werkzeug 3.0.0 to identify any breaking changes that might necessitate code modifications.
renovate-bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
from
7f45672 to
cb10863
Compare
This PR contains the following updates:
==3.0.4->==3.0.6==3.0.4->==3.0.6==2.2.3->==3.0.6GitHub Vulnerability Alerts
CVE-2024-49766
On Python < 3.11 on Windows,
os.path.isabs()does not catch UNC paths like//server/share. Werkzeug'ssafe_join()relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.CVE-2024-49767
Applications using Werkzeug to parse
multipart/form-datarequests are vulnerable to resource exhaustion. A specially crafted form body can bypass theRequest.max_form_memory_sizesetting.The
Request.max_content_lengthsetting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.CVE-2023-46136
Werkzeug multipart data parser needs to find a boundary that may be between consecutive chunks. That's why parsing is based on looking for newline characters. Unfortunately, code looking for partial boundary in the buffer is written inefficiently, so if we upload a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer.
This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.
CVE-2024-34069
The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.