| sidebar_label | title | description | hide_table_of_contents | sidebar_class_name | toc_max_heading_level | tags | ||
|---|---|---|---|---|---|---|---|---|
CVE-2024-49767 |
CVE-2024-49767 |
Lifecycle of CVE-2024-49767 |
true |
hide-from-sidebar |
2 |
|
11/7/2024
Werkzeug is a Web Server Gateway Interface web application library. Applications using
werkzeug.formparser.MultiPartParser corresponding to a version of Werkzeug prior to 3.0.6 to parse
multipart/form-data requests (e.g. all flask applications) are vulnerable to a relatively simple but effective
resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to
allocate and block 3 to 8 times the upload size in main memory. There is no upper limit; a single upload at 1 Gbit/s can
exhaust 32 GB of RAM in less than 60 seconds. Werkzeug version 3.0.6 fixes this issue.
Investigation is ongoing to determine how this vulnerability impacts our products.
Ongoing
- Palette Enterprise airgap 4.5.8
- Palette Enterprise 4.5.8
- 1.0 11/7/2024 Initial Publication
- 2.0 11/7/2024 Added Palette Enterprise airgap and Palette Enterprise airgap 4.5.8 to Affected Products