{
  "threat_severity" : "Moderate",
  "public_date" : "2024-10-25T19:41:35Z",
  "bugzilla" : {
    "description" : "werkzeug: python-werkzeug: Werkzeug possible resource exhaustion when parsing file data in forms",
    "id" : "2321829",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2321829"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-770",
  "details" : [ "Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively simple but effective resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds. Werkzeug version 3.0.6 fixes this issue.", "A flaw was found in the Werkzueg web application library. Applications using Werkzeug to parse multipart/form-data requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the Request.max_form_memory_size setting and trigger a denial of service." ],
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift AI 2.16",
    "release_date" : "2024-12-05T00:00:00Z",
    "advisory" : "RHSA-2024:10852",
    "cpe" : "cpe:/a:redhat:openshift_ai:2.16::el8",
    "package" : "rhoai/odh-modelmesh-runtime-adapter-rhel8:v2.16.0-1732953768"
  }, {
    "product_name" : "Red Hat OpenShift AI 2.17",
    "release_date" : "2025-02-13T00:00:00Z",
    "advisory" : "RHSA-2025:1448",
    "cpe" : "cpe:/a:redhat:openshift_ai:2.17::el8",
    "package" : "rhoai/odh-modelmesh-runtime-adapter-rhel8:v2.17.0-1739102748"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Quay 3",
    "fix_state" : "Affected",
    "package_name" : "quay/quay-rhel8",
    "cpe" : "cpe:/a:redhat:quay:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-49767\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-49767\nhttps://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee\nhttps://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b\nhttps://github.com/pallets/werkzeug/releases/tag/3.0.6\nhttps://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2" ],
  "name" : "CVE-2024-49767",
  "mitigation" : {
    "value" : "The Request.max_content_length setting and resource limits provided by deployment software and platforms are available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.",
    "lang" : "en:us"
  },
  "csaw" : false
}