{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"High" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"python-werkzeug security update", "category":"general", "title":"Synopsis" }, { "text":"An update for python-werkzeug is now available for openEuler-24.03-LTS-SP1", "category":"general", "title":"Summary" }, { "text":"A comprehensive WSGI web application library\n\nSecurity Fix(es):\n\nWerkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. This vulnerability has been patched in version 3.0.1.(CVE-2023-46136)", "category":"general", "title":"Description" }, { "text":"An update for python-werkzeug is now available for openEuler-24.03-LTS-SP1.\n\nopenEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"High", "category":"general", "title":"Severity" }, { "text":"python-werkzeug", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2025-2000", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2000" }, { "summary":"CVE-2023-46136", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2023-46136&packageName=python-werkzeug" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46136" }, { "summary":"openEuler-SA-2025-2000 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2025/csaf-openeuler-sa-2025-2000.json" } ], "title":"An update for python-werkzeug is now available for openEuler-24.03-LTS-SP1", "tracking":{ "initial_release_date":"2025-08-15T20:45:58+08:00", "revision_history":[ { "date":"2025-08-15T20:45:58+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2025-08-15T20:45:58+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2025-08-15T20:45:58+08:00", "id":"openEuler-SA-2025-2000", "version":"1.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"openEuler-24.03-LTS-SP1", "name":"openEuler-24.03-LTS-SP1" }, "name":"openEuler-24.03-LTS-SP1", "category":"product_version" } ], "category":"product_name" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"python-werkzeug-2.2.3-4.oe2403sp1.src.rpm", "name":"python-werkzeug-2.2.3-4.oe2403sp1.src.rpm" }, "name":"python-werkzeug-2.2.3-4.oe2403sp1.src.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"python-werkzeug-help-2.2.3-4.oe2403sp1.noarch.rpm", "name":"python-werkzeug-help-2.2.3-4.oe2403sp1.noarch.rpm" }, "name":"python-werkzeug-help-2.2.3-4.oe2403sp1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"python3-werkzeug-2.2.3-4.oe2403sp1.noarch.rpm", "name":"python3-werkzeug-2.2.3-4.oe2403sp1.noarch.rpm" }, "name":"python3-werkzeug-2.2.3-4.oe2403sp1.noarch.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"python-werkzeug-2.2.3-4.oe2403sp1.src.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:python-werkzeug-2.2.3-4.oe2403sp1.src", "name":"python-werkzeug-2.2.3-4.oe2403sp1.src as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"python-werkzeug-help-2.2.3-4.oe2403sp1.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:python-werkzeug-help-2.2.3-4.oe2403sp1.noarch", "name":"python-werkzeug-help-2.2.3-4.oe2403sp1.noarch as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"python3-werkzeug-2.2.3-4.oe2403sp1.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:python3-werkzeug-2.2.3-4.oe2403sp1.noarch", "name":"python3-werkzeug-2.2.3-4.oe2403sp1.noarch as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2023-46136", "notes":[ { "text":"Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. This vulnerability has been patched in version 3.0.1.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS-SP1:python-werkzeug-2.2.3-4.oe2403sp1.src", "openEuler-24.03-LTS-SP1:python-werkzeug-help-2.2.3-4.oe2403sp1.noarch", "openEuler-24.03-LTS-SP1:python3-werkzeug-2.2.3-4.oe2403sp1.noarch" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS-SP1:python-werkzeug-2.2.3-4.oe2403sp1.src", "openEuler-24.03-LTS-SP1:python-werkzeug-help-2.2.3-4.oe2403sp1.noarch", "openEuler-24.03-LTS-SP1:python3-werkzeug-2.2.3-4.oe2403sp1.noarch" ], "details":"python-werkzeug security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2000" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.5, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version":"3.1" }, "products":[ "openEuler-24.03-LTS-SP1:python-werkzeug-2.2.3-4.oe2403sp1.src", "openEuler-24.03-LTS-SP1:python-werkzeug-help-2.2.3-4.oe2403sp1.noarch", "openEuler-24.03-LTS-SP1:python3-werkzeug-2.2.3-4.oe2403sp1.noarch" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2023-46136" } ] }