VDB

CISA-2024-49766

CISA-2024-49766 PUBLISHED CVSS 6.3 MEDIUM

Reported by GitHub_M · Published October 25, 2024

Werkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable. Werkzeug version 3.0.6 contains a patch.

Risk Scores

CVSS 4.0
6.3
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Products

VendorProductVersions
palletswerkzeug< 3.0.6
palletswerkzeug*, < 3.0.6

Timeline

  • Oct 25, 2024 CVE Published
  • Jan 31, 2025 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›