CVE-2024-49766
Oct. 28, 2024, 1:58 p.m.
Tags
Product(s) Impacted
Werkzeug
- 3.0.6
Description
Werkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable. Werkzeug version 3.0.6 contains a patch.
Weaknesses
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE ID: 22Date
Published: Oct. 25, 2024, 8:15 p.m.
Last Modified: Oct. 28, 2024, 1:58 p.m.
Status : Undergoing Analysis
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
security-advisories@github.com