CVE-2019-14322
published 2019-07-28CVE-2019-14322: In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames.
PriorityP266high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
55.53%
98.9th percentile
In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-werkzeug | — | — |
| palletsprojects | werkzeug | < 0.15.5 | 0.15.5 |
| palletsprojects | werkzeug | >= 0 < 0.15.5 | 0.15.5 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by matching HTTP GET requests to paths containing static resource endpoints followed by a Windows drive letter pattern (e.g., /static/c:/). The three known exploit endpoints are /base_import/static/c:/, /web/static/c:/, and /base/static/c:/. ↗
- →A successful exploitation response body will contain all three strings: 'bit app support', 'fonts', and 'extensions' — characteristic content of a Windows win.ini file. Match all three with AND logic on HTTP 200 responses. ↗
- →The exploit PoC checks for 'fonts' and 'files' and 'extensions' in the response body to confirm successful local file inclusion of win.ini. ↗
- →The vulnerability is triggered via Python's os.path.join() mishandling of Windows drive names: a path segment with a drive name (e.g., C:) changes the drive of the final path, enabling path traversal outside the intended static directory. ↗
- ·This vulnerability only affects Werkzeug deployments running on Windows. The SharedDataMiddleware path traversal via drive letter is a Windows-specific behavior and is not exploitable on Linux/Unix systems. ↗
- ·The exploit endpoints tested (/base_import/static/, /web/static/, /base/static/) are specific to Odoo (formerly OpenERP) deployments using Werkzeug as the WSGI layer. Detection rules should be scoped accordingly. ↗
- ·The PoC uses verify=False (disabling TLS certificate verification) and a 5-second timeout, meaning exploit traffic may arrive over HTTPS with an invalid/self-signed certificate. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_debian7.5LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Pallets Werkzeug vulnerable to Path Traversal
osv·2022-05-24
CVE-2019-14322 [HIGH] Pallets Werkzeug vulnerable to Path Traversal
Pallets Werkzeug vulnerable to Path Traversal
In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames.
GHSA
Pallets Werkzeug vulnerable to Path Traversal
ghsa·2022-05-24
CVE-2019-14322 [HIGH] CWE-22 Pallets Werkzeug vulnerable to Path Traversal
Pallets Werkzeug vulnerable to Path Traversal
In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames.
Debian
CVE-2019-14322: python-werkzeug - In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (...
vendor_debian·2019·CVSS 7.5
CVE-2019-14322 [HIGH] CVE-2019-14322: python-werkzeug - In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (...
In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
Exploit-DB
Pallets Werkzeug 0.15.4 - Path Traversal
exploitdb·2021-07-06·CVSS 7.5
CVE-2019-14322 [HIGH] Pallets Werkzeug 0.15.4 - Path Traversal
Pallets Werkzeug 0.15.4 - Path Traversal
---
# Exploit Title: Pallets Werkzeug 0.15.4 - Path Traversal
# Date: 06 July 2021
# Original Author: Emre ÖVÜNÇ
# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
# Vendor Homepage: https://palletsprojects.com/
# Software Link: https://github.com/pallets/werkzeug
# Version: Prior to 0.15.5
# Tested on: Windows Server
# CVE: 2019-14322
# Credit: Emre Övünç and Olivier Dony for responsibly reporting the issue
# CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2019-14322
# Reference : https://palletsprojects.com/blog/werkzeug-0-15-5-released/
Description : Prior to 0.15.5, it was possible for a third party to potentially access arbitrary files when the application used SharedDataMiddleware on Windows. Due to the way Python's os.path.join(
Nuclei
Pallets Werkzeug <0.15.5 - Local File Inclusion
nuclei·CVSS 7.5
CVE-2019-14322 [HIGH] Pallets Werkzeug <0.15.5 - Local File Inclusion
Pallets Werkzeug <0.15.5 - Local File Inclusion
Pallets Werkzeug before 0.15.5 is susceptible to local file inclusion because SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames.
Template:
id: CVE-2019-14322
info:
name: Pallets Werkzeug <0.15.5 - Local File Inclusion
author: madrobot
severity: high
description: |
Pallets Werkzeug before 0.15.5 is susceptible to local file inclusion because SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames.
impact: |
The LFI vulnerability can lead to unauthorized access to sensitive files, potential data leakage, and remote code execution.
remediation: |
Upgrade Pallets Werkzeug to version 0.15.5 or above to mitigate the LFI vulnerability.
reference:
- https://palletsprojects.com/blog/werkzeug-0-15-5
2019-07-28
Published