Browsers may allow "nameless" cookies that look like =value instead of key=value. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like =__Host-test=bad for another subdomain. Werkzeug <= 2.2.2 will parse the cookie =__Host-test=bad as __Host-test=bad. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key.
Created cascadia-code-fonts tracking bugs for this issue: Affects: fedora-36 [bug 2170249] Created jetbrains-mono-fonts tracking bugs for this issue: Affects: fedora-36 [bug 2170251] Created mingw-python-werkzeug tracking bugs for this issue: Affects: fedora-all [bug 2170258] Created mote tracking bugs for this issue: Affects: epel-7 [bug 2170245] Created ndiscover-exo-2-fonts tracking bugs for this issue: Affects: fedora-37 [bug 2170260] Created openstack-vitrage tracking bugs for this issue: Affects: openstack-rdo [bug 2170265] Created oraculum tracking bugs for this issue: Affects: fedora-36 [bug 2170252] Created python-flask-caching tracking bugs for this issue: Affects: fedora-36 [bug 2170254] Created python-tilestache tracking bugs for this issue: Affects: fedora-36 [bug 2170257] Created python-werkzeug tracking bugs for this issue: Affects: fedora-all [bug 2170263] Affects: openstack-rdo [bug 2170267] Created python3-werkzeug tracking bugs for this issue: Affects: epel-7 [bug 2170247]
Patch: https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028 Fixed in werkzeug-2.2.3