CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
15.5%
werkzeug is vulnerable to Remote Code Execution. The vulnerability is due to the debugger accepting requests from non localhost locations, which allows an attacker to execute arbitrary code under specific situations. The prerequisites to this attack are the attacker must convince a developer into interacting with a domain they control, enter the debugger pin, and guess the URL within the application that triggers the debugger.
github.com/pallets/werkzeug/commit/3386395b24c7371db11a5b8eaac0c91da5362692
github.com/pallets/werkzeug/security/advisories/GHSA-2g68-c3qc-8985
lists.fedoraproject.org/archives/list/[email protected]/message/H4SH32AM3CTPMAAEOIDAN7VU565LO4IR/
lists.fedoraproject.org/archives/list/[email protected]/message/HFERFN7PINV4MOGMGA3DPIXJPDCYOEJZ/
security.netapp.com/advisory/ntap-20240614-0004/