CVE-2024-34069

2024-05-0615:15:23

Debian Security Bug Tracker

security-tracker.debian.org

werkzeug

wsgi

web application

debugger

remote code execution

security vulnerability

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

7.5 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.7%

JSON

Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer’s machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer’s application that will trigger the debugger. This vulnerability is fixed in 3.0.3.

OSVersionArchitecturePackageVersionFilename
Debian12allpython-werkzeug<= 2.2.2-3python-werkzeug_2.2.2-3_all.deb
Debian11allpython-werkzeug<= 1.0.1+dfsg1-2+deb11u1python-werkzeug_1.0.1+dfsg1-2+deb11u1_all.deb
Debian10allpython-werkzeug<= 0.14.1+dfsg1-4+deb10u1python-werkzeug_0.14.1+dfsg1-4+deb10u1_all.deb
Debian999allpython-werkzeug< 3.0.3-1python-werkzeug_3.0.3-1_all.deb
Debian13allpython-werkzeug< 3.0.3-1python-werkzeug_3.0.3-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	python-werkzeug	<= 2.2.2-3	python-werkzeug_2.2.2-3_all.deb
Debian	11	all	python-werkzeug	<= 1.0.1+dfsg1-2+deb11u1	python-werkzeug_1.0.1+dfsg1-2+deb11u1_all.deb
Debian	10	all	python-werkzeug	<= 0.14.1+dfsg1-4+deb10u1	python-werkzeug_0.14.1+dfsg1-4+deb10u1_all.deb
Debian	999	all	python-werkzeug	< 3.0.3-1	python-werkzeug_3.0.3-1_all.deb
Debian	13	all	python-werkzeug	< 3.0.3-1	python-werkzeug_3.0.3-1_all.deb