{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-49767", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-10-18T13:43:23.457Z", "datePublished": "2024-10-25T19:41:35.029Z", "dateUpdated": "2025-01-03T12:04:27.829Z"}, "containers": {"cna": {"title": "Werkzeug possible resource exhaustion when parsing file data in forms", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2"}, {"name": "https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee", "tags": ["x_refsource_MISC"], "url": "https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee"}, {"name": "https://github.com/pallets/quart/commit/abb04a512496206de279225340ed022852fbf51f", "tags": ["x_refsource_MISC"], "url": "https://github.com/pallets/quart/commit/abb04a512496206de279225340ed022852fbf51f"}, {"name": "https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b", "tags": ["x_refsource_MISC"], "url": "https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b"}, {"name": "https://github.com/pallets/werkzeug/releases/tag/3.0.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6"}], "affected": [{"vendor": "pallets", "product": "werkzeug", "versions": [{"version": "< 3.0.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-12-27T21:01:51.234Z"}, "descriptions": [{"lang": "en", "value": "Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively simple but effective resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds. Werkzeug version 3.0.6 fixes this issue."}], "source": {"advisory": "GHSA-q34m-jh98-gwm2", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "palletsprojects", "product": "werkzeug", "cpes": ["cpe:2.3:a:palletsprojects:werkzeug:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "3.0.6", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-25T20:06:53.070201Z", "id": "CVE-2024-49767", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-25T20:07:56.560Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20250103-0007/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-01-03T12:04:27.829Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20250103-0007/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-01-03T12:04:27.829Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-49767", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-25T20:06:53.070201Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:palletsprojects:werkzeug:*:*:*:*:*:*:*:*"], "vendor": "palletsprojects", "product": "werkzeug", "versions": [{"status": "affected", "version": "0", "lessThan": "3.0.6", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-25T20:07:46.576Z"}}], "cna": {"title": "Werkzeug possible resource exhaustion when parsing file data in forms", "source": {"advisory": "GHSA-q34m-jh98-gwm2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "pallets", "product": "werkzeug", "versions": [{"status": "affected", "version": "< 3.0.6"}]}], "references": [{"url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2", "name": "https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee", "name": "https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/pallets/quart/commit/abb04a512496206de279225340ed022852fbf51f", "name": "https://github.com/pallets/quart/commit/abb04a512496206de279225340ed022852fbf51f", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b", "name": "https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6", "name": "https://github.com/pallets/werkzeug/releases/tag/3.0.6", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively simple but effective resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds. Werkzeug version 3.0.6 fixes this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-12-27T21:01:51.234Z"}}}, "cveMetadata": {"cveId": "CVE-2024-49767", "state": "PUBLISHED", "dateUpdated": "2025-01-03T12:04:27.829Z", "dateReserved": "2024-10-18T13:43:23.457Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-10-25T19:41:35.029Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:palletsprojects:quart:*:*:*:*:*:python:*:*", "matchCriteriaId": "9E539F20-B2D2-42F4-98D4-DB92AAB1741E", "versionEndExcluding": "0.19.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:palletsprojects:werkzeug:*:*:*:*:*:*:*:*", "matchCriteriaId": "50FE9673-B294-4203-9C8D-DEF5028AE799", "versionEndExcluding": "3.0.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively simple but effective resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds. Werkzeug version 3.0.6 fixes this issue."}, {"lang": "es", "value": "Werkzeug es una librer\u00eda de aplicaciones web de interfaz de puerta de enlace de servidor web. Las aplicaciones que utilizan `werkzeug.formparser.MultiPartParser` correspondiente a una versi\u00f3n de Werkzeug anterior a la 3.0.6 para analizar solicitudes `multipart/form-data` (por ejemplo, todas las aplicaciones Flask) son vulnerables a un ataque de agotamiento de recursos (denegaci\u00f3n de servicio) relativamente simple pero efectivo. Una solicitud de env\u00edo de formulario manipulada espec\u00edficamente puede hacer que el analizador asigne y bloquee de 3 a 8 veces el tama\u00f1o de carga en la memoria principal. No hay un l\u00edmite superior; una sola carga a 1 Gbit/s puede agotar 32 GB de RAM en menos de 60 segundos. La versi\u00f3n 3.0.6 de Werkzeug corrige este problema."}], "id": "CVE-2024-49767", "lastModified": "2025-01-03T12:15:26.257", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "[email protected]", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "LOW", "vulnerableSystemConfidentiality": "NONE", "vulnerableSystemIntegrity": "NONE"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2024-10-25T20:15:04.530", "references": [{"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee"}, {"source": "[email protected]", "url": "https://github.com/pallets/quart/commit/abb04a512496206de279225340ed022852fbf51f"}, {"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b"}, {"source": "[email protected]", "tags": ["Release Notes"], "url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6"}, {"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20250103-0007/"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-770"}], "source": "[email protected]", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:10852", "cpe": "cpe:/a:redhat:openshift_ai:2.16::el8", "package": "registry.redhat.io/rhoai/odh-modelmesh-runtime-adapter-rhel8:sha256:5f61cf084b1d79ee1b651f2b1777ff238c3e31eb76eba71ccb33b01c46f8c1af", "product_name": "Red Hat OpenShift AI 2.16", "release_date": "2024-12-05T00:00:00Z"}, {"advisory": "RHSA-2025:1448", "cpe": "cpe:/a:redhat:openshift_ai:2.17::el8", "package": "registry.redhat.io/rhoai/odh-modelmesh-runtime-adapter-rhel8:sha256:78e18816a15b2d744a76710523a574f483606646d5e661b58a1d8562dc85526f", "product_name": "Red Hat OpenShift AI 2.17", "release_date": "2025-02-13T00:00:00Z"}], "bugzilla": {"description": "werkzeug: python-werkzeug: Werkzeug possible resource exhaustion when parsing file data in forms", "id": "2321829", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2321829"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "verified"}, "cwe": "(CWE-400|CWE-770)", "details": ["Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively simple but effective resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds. Werkzeug version 3.0.6 fixes this issue.", "A flaw was found in the Werkzueg web application library. Applications using Werkzeug to parse multipart/form-data requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the Request.max_form_memory_size setting and trigger a denial of service."], "mitigation": {"lang": "en:us", "value": "The Request.max_content_length setting and resource limits provided by deployment software and platforms are available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application."}, "name": "CVE-2024-49767", "package_state": [{"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Under investigation", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}], "public_date": "2024-10-25T19:41:35Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-49767\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-49767\nhttps://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee\nhttps://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b\nhttps://github.com/pallets/werkzeug/releases/tag/3.0.6\nhttps://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2"], "statement": "Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-400: Uncontrolled Resource Consumption | CWE-770: Allocation of Resources Without Limits or Throttling vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\nThe platform enforces hardening guidelines to apply the most restrictive settings required for operations, while baseline configurations maintain secure system and software states. A defense-in-depth monitoring strategy includes perimeter firewalls and endpoint protection services that help detect excessive resource usage caused by malicious activity or misconfigurations. In the event of exploitation, process isolation ensures workloads run in separate environments, preventing any single process from overconsuming CPU or memory and degrading system performance.", "threat_severity": "Moderate"}