Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-kycs-rbvn-z3e7
Vulnerability ID VCID-kycs-rbvn-z3e7
Aliases CVE-2023-23934
GHSA-px8h-6qxv-m22q
PYSEC-2023-57
Summary Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad` for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie `=__Host-test=bad` as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3.
Status Published
Exploitability 0.5
Weighted Severity 2.7
Risk 1.4
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-20 Improper Input Validation
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 2.6 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-23934.json
epss 0.00267 https://api.first.org/data/v1/epss?cve=CVE-2023-23934
epss 0.00267 https://api.first.org/data/v1/epss?cve=CVE-2023-23934
epss 0.00267 https://api.first.org/data/v1/epss?cve=CVE-2023-23934
epss 0.00267 https://api.first.org/data/v1/epss?cve=CVE-2023-23934
epss 0.00267 https://api.first.org/data/v1/epss?cve=CVE-2023-23934
epss 0.00267 https://api.first.org/data/v1/epss?cve=CVE-2023-23934
epss 0.00267 https://api.first.org/data/v1/epss?cve=CVE-2023-23934
epss 0.00267 https://api.first.org/data/v1/epss?cve=CVE-2023-23934
cvssv3.1 2.6 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr LOW https://github.com/advisories/GHSA-px8h-6qxv-m22q
cvssv3.1 2.6 https://github.com/pallets/werkzeug
generic_textual LOW https://github.com/pallets/werkzeug
cvssv3.1 2.6 https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028
generic_textual LOW https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028
ssvc Track https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028
cvssv3.1 2.6 https://github.com/pallets/werkzeug/releases/tag/2.2.3
generic_textual LOW https://github.com/pallets/werkzeug/releases/tag/2.2.3
ssvc Track https://github.com/pallets/werkzeug/releases/tag/2.2.3
cvssv3.1 2.6 https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q
cvssv3.1_qr LOW https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q
generic_textual LOW https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q
ssvc Track https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q
cvssv3.1 2.6 https://github.com/pypa/advisory-database/tree/main/vulns/werkzeug/PYSEC-2023-57.yaml
generic_textual LOW https://github.com/pypa/advisory-database/tree/main/vulns/werkzeug/PYSEC-2023-57.yaml
cvssv3.1 2.6 https://nvd.nist.gov/vuln/detail/CVE-2023-23934
generic_textual LOW https://nvd.nist.gov/vuln/detail/CVE-2023-23934
cvssv3.1 2.6 https://security.netapp.com/advisory/ntap-20230818-0003
generic_textual LOW https://security.netapp.com/advisory/ntap-20230818-0003
cvssv3.1 2.6 https://security.netapp.com/advisory/ntap-20230818-0003/
ssvc Track https://security.netapp.com/advisory/ntap-20230818-0003/
cvssv3.1 2.6 https://www.debian.org/security/2023/dsa-5470
generic_textual LOW https://www.debian.org/security/2023/dsa-5470
ssvc Track https://www.debian.org/security/2023/dsa-5470
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-23934.json
https://api.first.org/data/v1/epss?cve=CVE-2023-23934
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23934
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25577
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/pallets/werkzeug
https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028
https://github.com/pallets/werkzeug/releases/tag/2.2.3
https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q
https://github.com/pypa/advisory-database/tree/main/vulns/werkzeug/PYSEC-2023-57.yaml
https://security.netapp.com/advisory/ntap-20230818-0003
https://www.debian.org/security/2023/dsa-5470
1031370 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031370
2170243 https://bugzilla.redhat.com/show_bug.cgi?id=2170243
CVE-2023-23934 https://nvd.nist.gov/vuln/detail/CVE-2023-23934
GHSA-px8h-6qxv-m22q https://github.com/advisories/GHSA-px8h-6qxv-m22q
ntap-20230818-0003 https://security.netapp.com/advisory/ntap-20230818-0003/
RHSA-2023:1018 https://access.redhat.com/errata/RHSA-2023:1018
RHSA-2025:4664 https://access.redhat.com/errata/RHSA-2025:4664
RHSA-2025:9775 https://access.redhat.com/errata/RHSA-2025:9775
USN-5948-1 https://usn.ubuntu.com/5948-1/
USN-5948-2 https://usn.ubuntu.com/5948-2/
No exploits are available.
Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-23934.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N Found at https://github.com/pallets/werkzeug
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N Found at https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:57:36Z/ Found at https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028
Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N Found at https://github.com/pallets/werkzeug/releases/tag/2.2.3
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:57:36Z/ Found at https://github.com/pallets/werkzeug/releases/tag/2.2.3
Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N Found at https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:57:36Z/ Found at https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q
Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N Found at https://github.com/pypa/advisory-database/tree/main/vulns/werkzeug/PYSEC-2023-57.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-23934
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N Found at https://security.netapp.com/advisory/ntap-20230818-0003
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N Found at https://security.netapp.com/advisory/ntap-20230818-0003/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:57:36Z/ Found at https://security.netapp.com/advisory/ntap-20230818-0003/
Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N Found at https://www.debian.org/security/2023/dsa-5470
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:57:36Z/ Found at https://www.debian.org/security/2023/dsa-5470
Exploit Prediction Scoring System (EPSS)
Percentile 0.50127
EPSS Score 0.00267
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:48:04.750716+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/werkzeug/PYSEC-2023-57.yaml 38.0.0