CVE-2024-34069

2024-05-0600:00:00

ubuntu.com

werkzeug

debugger

code execution

domain

subdomain

vulnerability

fix

unix

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

7.5 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.7%

JSON

Werkzeug is a comprehensive WSGI web application library. The debugger in
affected versions of Werkzeug can allow an attacker to execute code on a
developer’s machine under some circumstances. This requires the attacker to
get the developer to interact with a domain and subdomain they control, and
enter the debugger PIN, but if they are successful it allows access to the
debugger even if it is only running on localhost. This also requires the
attacker to guess a URL in the developer’s application that will trigger
the debugger. This vulnerability is fixed in 3.0.3.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchpython-werkzeug< 0.14.1+dfsg1-1ubuntu0.2+esm1UNKNOWN
ubuntu20.04noarchpython-werkzeug< 0.16.1+dfsg1-2ubuntu0.2UNKNOWN
ubuntu22.04noarchpython-werkzeug< 2.0.2+dfsg1-1ubuntu0.22.04.2UNKNOWN
ubuntu23.10noarchpython-werkzeug< 2.2.2-3ubuntu0.1UNKNOWN
ubuntu24.04noarchpython-werkzeug< 3.0.1-3ubuntu0.1UNKNOWN
ubuntu16.04noarchpython-werkzeug< 0.10.4+dfsg1-1ubuntu1.2+esm2UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	python-werkzeug	< 0.14.1+dfsg1-1ubuntu0.2+esm1	UNKNOWN
ubuntu	20.04	noarch	python-werkzeug	< 0.16.1+dfsg1-2ubuntu0.2	UNKNOWN
ubuntu	22.04	noarch	python-werkzeug	< 2.0.2+dfsg1-1ubuntu0.22.04.2	UNKNOWN
ubuntu	23.10	noarch	python-werkzeug	< 2.2.2-3ubuntu0.1	UNKNOWN
ubuntu	24.04	noarch	python-werkzeug	< 3.0.1-3ubuntu0.1	UNKNOWN
ubuntu	16.04	noarch	python-werkzeug	< 0.10.4+dfsg1-1ubuntu1.2+esm2	UNKNOWN