CVE-2024-34069

Aliases:GHSA-2g68-c3qc-8985

Advisory lineage Upstream: 0 Downstream: 18

Downstream

DEBIAN-CVE-2024-34069 DLA-4062-1 MGASA-2024-0234 OPENSUSE-SU-2024:14042-1 RHSA-2024:10696 RHSA-2024:5810

Analyzed

Published: 06 May 2024, 14:44

Last modified:21 Feb 2025, 18:03

Vulnerability Summary

Overall Risk (default)

medium

49/100

CVSS Score

7.5 HIGH

v3.1 (cve.org)

EPSS Score

43.65% HIGH

44% probability +1.71%

KEV

Not listed

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

06 May 2024, 14:44

Published

Vulnerability first disclosed

21 Feb 2025, 18:03

Last Modified

Vulnerability information updated

Description

Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger. This vulnerability is fixed in 3.0.3.

CVSS Metrics

v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 43.65%• Percentile: 98%

Techniques & Countermeasures

CWE-352•Cross-Site Request Forgery (CSRF)
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Affected Systems

debian•debian_linux
11.0
fedoraproject•fedora
38 | 40
pallets•werkzeug
< 3.0.3
palletsprojects•werkzeug
< 3.0.3
PyPI•werkzeug
< 3.0.3