{"id":"MGASA-2024-0351","summary":"Updated python-werkzeug packages fix security vulnerability","details":"Werkzeug is a Web Server Gateway Interface web application library.\nApplications using `werkzeug.formparser.MultiPartParser` corresponding\nto a version of Werkzeug prior to 3.0.6 to parsing `multipart/form-data`\nrequests (e.g. all flask applications) are vulnerable to a relatively\nsimple but effective resource exhaustion (denial of service) attack. A\nspecifically crafted form submission request can cause the parser to\nallocate and block 3 to 8 times the upload size in main memory. There is\nno upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in\nless than 60 seconds. Werkzeug version 3.0.6 fixes this issue.\n","modified":"2026-04-16T04:41:24.136476831Z","published":"2024-11-09T05:17:41Z","upstream":["CVE-2024-49767"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2024-0351.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=33732"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-7093-1"}],"affected":[{"package":{"name":"python-werkzeug","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/python-werkzeug?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.0.6-1.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2024-0351.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}