Bug 2170243 (CVE-2023-23934)

Summary: CVE-2023-23934 python-werkzeug: cookie prefixed with = can shadow unprefixed cookie
Product: [Other] Security Response Reporter: Anten Skrabec <askrabec>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: amctagga, aoconnor, apevec, bcl, bdettelb, bniver, dfreiber, doconnor, dranck, drow, eglynn, flucifre, gmeno, gtanzill, jburrell, jjoyce, jschluet, lbrazdil, lhh, lsvaty, manisandro, mbenjamin, mburns, mgarciac, mhackett, mminar, njohnston, nobody, pgrist, rbiba, rhos-maint, rogbas, scohen, sostapov, spower, sskracic, teagle, tpfromme, vereddy, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-werkzeug 2.2.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in python-werkzeug. Browsers may allow "nameless" cookies like =value instead of key=value. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie for another subdomain. If a Werkzeug application is running next to a vulnerable or malicious subdomain that sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2170245, 2170247, 2170249, 2170251, 2170252, 2170254, 2170257, 2170258, 2170260, 2170263, 2170265, 2170267, 2170268, 2170269, 2170270, 2170271, 2170317, 2254407, 2306554    
Bug Blocks: 2169911    

Description Anten Skrabec 2023-02-16 00:14:38 UTC 
Browsers may allow "nameless" cookies that look like =value instead of key=value. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like =__Host-test=bad for another subdomain.

Werkzeug <= 2.2.2 will parse the cookie =__Host-test=bad as __Host-test=bad. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key.
Comment 1 Anten Skrabec 2023-02-16 00:20:28 UTC 
Created cascadia-code-fonts tracking bugs for this issue:

Affects: fedora-36 [bug 2170249]


Created jetbrains-mono-fonts tracking bugs for this issue:

Affects: fedora-36 [bug 2170251]


Created mingw-python-werkzeug tracking bugs for this issue:

Affects: fedora-all [bug 2170258]


Created mote tracking bugs for this issue:

Affects: epel-7 [bug 2170245]


Created ndiscover-exo-2-fonts tracking bugs for this issue:

Affects: fedora-37 [bug 2170260]


Created openstack-vitrage tracking bugs for this issue:

Affects: openstack-rdo [bug 2170265]


Created oraculum tracking bugs for this issue:

Affects: fedora-36 [bug 2170252]


Created python-flask-caching tracking bugs for this issue:

Affects: fedora-36 [bug 2170254]


Created python-tilestache tracking bugs for this issue:

Affects: fedora-36 [bug 2170257]


Created python-werkzeug tracking bugs for this issue:

Affects: fedora-all [bug 2170263]
Affects: openstack-rdo [bug 2170267]


Created python3-werkzeug tracking bugs for this issue:

Affects: epel-7 [bug 2170247]
Comment 5 Sandro Mani 2023-03-07 08:43:58 UTC 
Patch: https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028
Fixed in werkzeug-2.2.3
Comment 9 errata-xmlrpc 2025-06-26 12:12:11 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 8.1

Via RHSA-2025:9775 https://access.redhat.com/errata/RHSA-2025:9775