CVE-2024-34069

Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger. This vulnerability is fixed in 3.0.3.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
GitHub_MCNA
7.5 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA-ADPADP
---
---
CVEADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 15%
Debian logo
Debian Releases
Debian Product
Codename
python-werkzeug
bullseye
vulnerable
buster
postponed
bullseye (security)
1.0.1+dfsg1-2+deb11u2
fixed
bookworm
2.2.2-3+deb12u1
fixed
sid
3.1.3-2
fixed
trixie
3.1.3-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-werkzeug
noble
Fixed 3.0.1-3ubuntu0.1
released
mantic
Fixed 2.2.2-3ubuntu0.1
released
jammy
Fixed 2.0.2+dfsg1-1ubuntu0.22.04.2
released
focal
Fixed 0.16.1+dfsg1-2ubuntu0.2
released
bionic
Fixed 0.14.1+dfsg1-1ubuntu0.2+esm1
released
xenial
Fixed 0.10.4+dfsg1-1ubuntu1.2+esm2
released
Common Weakness Enumeration
References
https://github.com/pallets/werkzeug/commit/3386395b24c7371db11a5b8eaac0c91da5362692
https://github.com/pallets/werkzeug/security/advisories/GHSA-2g68-c3qc-8985
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H4SH32AM3CTPMAAEOIDAN7VU565LO4IR/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HFERFN7PINV4MOGMGA3DPIXJPDCYOEJZ/
https://security.netapp.com/advisory/ntap-20240614-0004/
https://github.com/pallets/werkzeug/commit/3386395b24c7371db11a5b8eaac0c91da5362692
https://github.com/pallets/werkzeug/security/advisories/GHSA-2g68-c3qc-8985
https://lists.debian.org/debian-lts-announce/2025/02/msg00026.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H4SH32AM3CTPMAAEOIDAN7VU565LO4IR/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HFERFN7PINV4MOGMGA3DPIXJPDCYOEJZ/
https://security.netapp.com/advisory/ntap-20240614-0004/