CVE-2023-46136: 
Python vulnerability analysis and mitigation

Werkzeug, a comprehensive WSGI web application library, was found to contain a vulnerability (CVE-2023-46136) that affects versions prior to 2.3.8 and 3.0.0 prior to 3.0.1. The vulnerability was discovered and disclosed in October 2023, with a patch released on October 24, 2023. The issue affects the multipart data parser functionality in Werkzeug, which is widely used in web applications (GitHub Advisory).

The vulnerability stems from inefficient code in the multipart data parser when looking for partial boundaries in the buffer. When processing a file that begins with CR or LF characters followed by megabytes of data without these characters, all bytes are appended chunk by chunk into an internal bytearray, and boundary lookup is performed on the growing buffer. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating its severity (NVD).

Successful exploitation of this vulnerability can lead to a Denial of Service (DoS) condition. The attack can cause excessive CPU time consumption, blocking worker processes from handling legitimate requests, and potentially trigger out-of-memory conditions that kill the process. If multiple concurrent requests are sent continuously, this can exhaust or kill all available workers (GitHub Advisory).

The vulnerability has been patched in Werkzeug versions 2.3.8 and 3.0.1. Users are advised to upgrade to these patched versions to mitigate the risk. The fix was implemented through a commit that addresses the inefficient parsing of multipart data (GitHub Patch).

Multiple vendors and organizations have acknowledged and responded to this vulnerability. Red Hat has issued security advisories for affected products and provided patches through their update channels. NetApp has conducted a comprehensive review of their product portfolio and published an advisory detailing affected and unaffected products (Red Hat Advisory, NetApp Advisory).