Lucene search

Gentoo FoundationMGASA-2024-0234

HistoryJun 24, 2024 - 10:04 p.m.

Updated python-werkzeug packages fix security vulnerability

2024-06-2422:04:12

Gentoo Foundation

advisories.mageia.org

werkzeug

wsgi

security vulnerability

debugger

code execution

domain control

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.7%

JSON

Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer’s machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer’s application that will trigger the debugger. This vulnerability is fixed in 3.0.3.

OSVersionArchitecturePackageVersionFilename
Mageia9noarchpython-werkzeug< 3.0.3-1python-werkzeug-3.0.3-1.mga9

OS	Version	Architecture	Package	Version	Filename
Mageia	9	noarch	python-werkzeug	< 3.0.3-1	python-werkzeug-3.0.3-1.mga9

References

bugs.mageia.org/show_bug.cgi?id=33201

lwn.net/Articles/973069/

ubuntu.com/security/notices/USN-6799-1

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.7%

JSON

Related for MGASA-2024-0234