CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.
Products
Werkzeug
- 3.0.3
Source
security-advisories@github.com
Tags
CVE-2024-34069 details
Last Modified : May 6, 2024, 4 p.m.
Description
Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger. This vulnerability is fixed in 3.0.3.
CVSS Score
1 | 2 | 3 | 4 | 5 | 6 | 7.5 | 8 | 9 | 10 |
---|
Weakness
Weakness | Name | Description |
---|
CVSS Data
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
7.5
Exploitability Score
Impact Score
Base Severity
HIGH
Vector String : CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
References
URL | Source |
---|---|
https://github.com/pallets/werkzeug/commit/3386395b24c7371db11a5b8eaac0c91da5362692 | security-advisories@github.com |
https://github.com/pallets/werkzeug/security/advisories/GHSA-2g68-c3qc-8985 | security-advisories@github.com |