DirectorySecurity Advisories
Sign In
Security Advisories

CGA-88jf-v7r2-2xm7

Published

Last updated

https://images.chainguard.dev/security/CGA-88jf-v7r2-2xm7
Package

kubeflow-pipelines-visualization-server

Latest Update
Fixed
Fixed Version

2.4.0-r0

Aliases
  • CVE-2023-23934
  • GHSA-px8h-6qxv-m22q

Severity

2.6

Low

CVSS V3

Summary

Incorrect parsing of nameless cookies leads to __Host- cookies bypass

Description

Browsers may allow "nameless" cookies that look like =value instead of key=value. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like =__Host-test=bad for another subdomain.

Werkzeug <= 2.2.2 will parse the cookie =__Host-test=bad as __Host-test=bad. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key.

References

Updates

Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2024 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Product

Chainguard Images

Why Chainguard

Container Image SecurityVulnerability RemediationCompliance and Risk MitigationSoftware Supply Chain SecurityAI/ML Security

Customers

Customer StoriesChainguard Love

Company

About UsOpen SourceCareersNewsroomLegal

Resources

Unchained BlogResearchEventsTrust CenterDocumentation