CVE-2024-34069

EUVD-2024-1358

06.05.2024, 15:15

Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger. This vulnerability is fixed in 3.0.3.

CSRF

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
GitHub_M	CNA	7.5 HIGH	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 97%

Affected Products (NVD)

Vendor	Product	Version
palletsprojects	werkzeug	𝑥 < 3.0.3
debian	debian_linux	11.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

python-werkzeug

bookworm	2.2.2-3+deb12u1 fixed
bullseye	vulnerable
bullseye (security)	1.0.1+dfsg1-2+deb11u2 fixed
buster	postponed
forky	3.1.4-1 fixed
sid	3.1.4-1 fixed
trixie	3.1.3-2 fixed

Ubuntu Releases

Ubuntu Product

Codename

python-werkzeug

bionic	Fixed 0.14.1+dfsg1-1ubuntu0.2+esm1 released
focal	Fixed 0.16.1+dfsg1-2ubuntu0.2 released
jammy	Fixed 2.0.2+dfsg1-1ubuntu0.22.04.2 released
mantic	Fixed 2.2.2-3ubuntu0.1 released
noble	Fixed 3.0.1-3ubuntu0.1 released
xenial	Fixed 0.10.4+dfsg1-1ubuntu1.2+esm2 released

Common Weakness Enumeration

CWE-352 - Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References

https://github.com/pallets/werkzeug/commit/3386395b24c7371db11a5b8eaac0c91da5362692

https://github.com/pallets/werkzeug/security/advisories/GHSA-2g68-c3qc-8985

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H4SH32AM3CTPMAAEOIDAN7VU565LO4IR/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HFERFN7PINV4MOGMGA3DPIXJPDCYOEJZ/

https://security.netapp.com/advisory/ntap-20240614-0004/

https://github.com/pallets/werkzeug/commit/3386395b24c7371db11a5b8eaac0c91da5362692

https://github.com/pallets/werkzeug/security/advisories/GHSA-2g68-c3qc-8985

https://lists.debian.org/debian-lts-announce/2025/02/msg00026.html

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H4SH32AM3CTPMAAEOIDAN7VU565LO4IR/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HFERFN7PINV4MOGMGA3DPIXJPDCYOEJZ/

https://security.netapp.com/advisory/ntap-20240614-0004/