CVE-2024-49767
CVE Details
Visit the official vulnerability details page for CVE-2024-49767 to learn more.
Initial Publication
10/26/2024
Last Update
12/16/2024
Third Party Dependency
Werkzeug
NIST CVE Summary
Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively simple but effective resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds. Werkzeug version 3.0.6 fixes this issue.
CVE Severity
Our Official Summary
A flaw was found in the Werkzueg web application library. Applications using Werkzeug to parse multipart/form-data requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the Request.max_form_memory_size setting and trigger a denial of service.
This vulnerability is reported on a few third party images which do not use this library or process data and hence the risk of occurence is very low. Impact of exploitation is also low because attack surface is limited to the container. Once the fix becomes available, we will adopt the fixed images.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.5.15 | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.5.11 | ✅ No Impact | ⚠️ Impacted | ✅ No Impact | ✅ No Impact |
| 4.5.10 | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.5.8 | ✅ No Impact | ⚠️ Impacted | ✅ No Impact | ✅ No Impact |
| 4.5.5 | ✅ No Impact | ⚠️ Impacted | ✅ No Impact | ✅ No Impact |
| 4.4.20 | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
Revision History
| Date | Revision |
|---|---|
| 12/16/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11, 4.5.15 |
| 12/09/2024 | Official summary revised: A flaw was found in the Werkzueg web application library. Applications using Werkzeug to parse multipart/form-data requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the Request.max_form_memory_size setting and trigger a denial of service.This vulnerability is reported on a few third party images which do not use this library or process data and hence the risk of occurence is very low. Impact of exploitation is alsolow because attack surface is limited to the container. Once the fix becomes available, we will adopt the fixed images. |
| 12/06/2024 | Advisory severity revised to HIGH from MEDIUM |
| 12/05/2024 | Advisory severity revised to MEDIUM from HIGH |
| 11/15/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11 |
| 11/15/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 |
| 11/13/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8 to 4.5.4, 4.5.5, 4.5.8, 4.4.20 |
| 11/10/2024 | Impacted versions changed from 4.5.4, 4.5.5 to 4.5.4, 4.5.5, 4.5.8 |
| 11/06/2024 | Advisory assigned with HIGH severity |
| 10/27/2024 | Impacted versions changed from 4.5.4 to 4.5.4, 4.5.5 |