CVE-2024-34069
HIGH7.5EPSS 43.6%Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain
發布日:2024/5/6修改日:2026/2/4
描述
The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger.
受影響套件(3)
- Debian/python-werkzeugfrom 0, < 1.0.1+dfsg1-2+deb11u2
- Debian/python-werkzeugfrom 0, < 1.0.1+dfsg1-2+deb11u2
- PyPI/werkzeugfrom 0, < 3.0.3
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
參考連結(9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-34069
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2024-34069
- PATCHhttps://github.com/pallets/werkzeug
- WEBhttps://github.com/pallets/werkzeug/commit/3386395b24c7371db11a5b8eaac0c91da5362692
- WEBhttps://github.com/pallets/werkzeug/security/advisories/GHSA-2g68-c3qc-8985
- WEBhttps://lists.debian.org/debian-lts-announce/2025/02/msg00026.html
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/H4SH32AM3CTPMAAEOIDAN7VU565LO4IR
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/HFERFN7PINV4MOGMGA3DPIXJPDCYOEJZ
- WEBhttps://security.netapp.com/advisory/ntap-20240614-0004