Skip to main content

Werkzeug CVE-2024-34069

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2024-05-06 security-advisories@github.com
7.5
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
7.5 HIGH
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from Vendor (github) · only source for this CVE.

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
May 06, 2024 - 15:15 cve.org
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 106 pypi packages depend on werkzeug (87 direct, 21 indirect)

Ecosystem-wide dependent count for version 3.0.3.

DescriptionCVE.org

Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger. This vulnerability is fixed in 3.0.3.

AnalysisAI

Werkzeug is a comprehensive WSGI web application library. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger. This vulnerability is fixed in 3.0.3. Affected products include: Palletsprojects Werkzeug, Debian Debian Linux, Fedoraproject Fedora.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

CVE-2019-14322 HIGH POC
7.5 Jul 28

In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames. Rated

CVE-2020-28724 MEDIUM POC
6.1 Nov 18

Open redirect vulnerability in werkzeug before 0.11.6 via a double slash in the URL. Rated medium severity (CVSS 6.1), t

CVE-2022-29361 CRITICAL
9.8 May 25

Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform HTTP Request Smugglin

CVE-2023-46136 HIGH
8.0 Oct 25

Werkzeug is a comprehensive WSGI web application library. Rated high severity (CVSS 8.0), this vulnerability is low atta

CVE-2023-25577 HIGH
7.5 Feb 14

Werkzeug is a comprehensive WSGI web application library. Rated high severity (CVSS 7.5), this vulnerability is remotely

CVE-2019-14806 HIGH
7.5 Aug 09

Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker container

CVE-2025-66221 MEDIUM
6.3 Nov 29

Werkzeug is a comprehensive WSGI web application library. Rated medium severity (CVSS 6.3), this vulnerability is remote

CVE-2024-49766 MEDIUM
6.3 Oct 25

Werkzeug is a Web Server Gateway Interface web application library. Rated medium severity (CVSS 6.3), this vulnerability

CVE-2016-10516 MEDIUM
6.1 Oct 23

Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werk

CVE-2026-27199 MEDIUM
5.3 Feb 21

Werkzeug versions 3.1.5 and below on Windows fail to properly filter reserved device names in the safe_join function whe

CVE-2026-21860 MEDIUM
5.3 Jan 08

Werkzeug versions prior to 3.1.5 fail to properly validate Windows reserved device names in the safe_join function, allo

CVE-2023-23934 LOW
3.5 Feb 14

Werkzeug is a comprehensive WSGI web application library. Rated low severity (CVSS 3.5), this vulnerability is no authen

Share

CVE-2024-34069 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy