Headline
GHSA-2g68-c3qc-8985: Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain
The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer’s machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer’s application that will trigger the debugger.
Skip to content
Navigation Menu
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-34069
Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain
High severity GitHub Reviewed Published May 5, 2024 in pallets/werkzeug
Package
pip Werkzeug (pip)
Affected versions
< 3.0.3
Description
The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer’s machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer’s application that will trigger the debugger.
References
- GHSA-2g68-c3qc-8985
- pallets/werkzeug@3386395
Published to the GitHub Advisory Database
May 6, 2024
Related news
Red Hat Security Advisory 2024-10696-03 - An update for python-werkzeug is now available for Red Hat OpenStack Platform 16.2. Issues addressed include a remote shell upload vulnerability.
Red Hat Security Advisory 2024-9976-03 - An update for python-werkzeug is now available for Red Hat OpenStack Platform 17.1. Issues addressed include a remote shell upload vulnerability.
Red Hat Security Advisory 2024-9975-03 - An update for python-werkzeug is now available for Red Hat OpenStack Platform 17.1. Issues addressed include a remote shell upload vulnerability.
Red Hat Security Advisory 2024-6016-03 - Red Hat OpenShift Container Platform release 4.15.30 is now available with updates to packages and images that fix several bugs and add enhancements.
Ubuntu Security Notice 6799-1 - It was discovered that the debugger in Werkzeug was not restricted to trusted hosts. A remote attacker could possibly use this issue to execute code on the host under certain circumstances.