CVE-2020-28724
published 2020-11-18CVE-2020-28724: Open redirect vulnerability in werkzeug before 0.11.6 via a double slash in the URL.
PriorityP425medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
1.66%
73.7th percentile
Open redirect vulnerability in werkzeug before 0.11.6 via a double slash in the URL.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-werkzeug | < python-werkzeug 0.11.9+dfsg1-1 (bookworm) | python-werkzeug 0.11.9+dfsg1-1 (bookworm) |
| palletsprojects | werkzeug | < 0.11.6 | 0.11.6 |
| palletsprojects | werkzeug | >= 0 < 0.11.6 | 0.11.6 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
osv7.5HIGH
vendor_ubuntu7.5HIGH
vendor_debian6.1MEDIUM
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Open Redirect in werkzeug
osv·2021-04-20
CVE-2020-28724 [MEDIUM] Open Redirect in werkzeug
Open Redirect in werkzeug
Open redirect vulnerability in werkzeug before 0.11.6 via a double slash in the URL.
GHSA
Open Redirect in werkzeug
ghsa·2021-04-20
CVE-2020-28724 [MEDIUM] CWE-601 Open Redirect in werkzeug
Open Redirect in werkzeug
Open redirect vulnerability in werkzeug before 0.11.6 via a double slash in the URL.
OSV
python-werkzeug vulnerabilities
osv·2020-12-01·CVSS 7.5
CVE-2019-14806 [HIGH] python-werkzeug vulnerabilities
python-werkzeug vulnerabilities
It was discovered that Werkzeug has insufficient debugger PIN randomness.
An attacker could use this issue to access sensitive information. This issue only
affected Ubuntu 18.04 LTS. (CVE-2019-14806)
It was discovered that Werkzeug incorrectly handled certain URLs.
An attacker could possibly use this issue to cause pishing attacks.
This issue only affected Ubuntu 16.04 LTS. (CVE-2020-28724)
OSV
CVE-2020-28724: Open redirect vulnerability in werkzeug before 0
osv·2020-11-18·CVSS 6.1
CVE-2020-28724 [MEDIUM] CVE-2020-28724: Open redirect vulnerability in werkzeug before 0
Open redirect vulnerability in werkzeug before 0.11.6 via a double slash in the URL.
Ubuntu
Werkzeug vulnerabilities
vendor_ubuntu·2020-12-01·CVSS 7.5
CVE-2020-28724 [HIGH] Werkzeug vulnerabilities
Title: Werkzeug vulnerabilities
Summary: Several security issues were fixed in Werkzeug.
It was discovered that Werkzeug has insufficient debugger PIN randomness.
An attacker could use this issue to access sensitive information. This issue only
affected Ubuntu 18.04 LTS. (CVE-2019-14806)
It was discovered that Werkzeug incorrectly handled certain URLs.
An attacker could possibly use this issue to cause pishing attacks.
This issue only affected Ubuntu 16.04 LTS. (CVE-2020-28724)
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2020-28724: python-werkzeug - Open redirect vulnerability in werkzeug before 0.11.6 via a double slash in the ...
vendor_debian·2020·CVSS 6.1
CVE-2020-28724 [MEDIUM] CVE-2020-28724: python-werkzeug - Open redirect vulnerability in werkzeug before 0.11.6 via a double slash in the ...
Open redirect vulnerability in werkzeug before 0.11.6 via a double slash in the URL.
Scope: local
bookworm: resolved (fixed in 0.11.9+dfsg1-1)
bullseye: resolved (fixed in 0.11.9+dfsg1-1)
forky: resolved (fixed in 0.11.9+dfsg1-1)
sid: resolved (fixed in 0.11.9+dfsg1-1)
trixie: resolved (fixed in 0.11.9+dfsg1-1)
Red Hat
python-werkzeug: open redirect via double slash in the URL
vendor_redhat·2015-12-06·CVSS 6.1
CVE-2020-28724 [MEDIUM] CWE-601 python-werkzeug: open redirect via double slash in the URL
python-werkzeug: open redirect via double slash in the URL
Open redirect vulnerability in werkzeug before 0.11.6 via a double slash in the URL.
An open redirect flaw was found in the WSGI library python-werkzeug. When URL_PATH starts with a double slash, followed by an arbitrary URL without a scheme, python-werkzeug could redirect applications to that arbitrary URL. This flaw allows an attacker to use this technique to redirect victims to phishing websites controlled by an attacker or to use this flaw to chain vulnerabilities.
Package: python-werkzeug (Red Hat Ceph Storage 2) - Out of support scope
Package: python-werkzeug (Red Hat Enterprise Linux 8) - Not affected
Package: python-werkzeug (Red Hat OpenShift Container Platform 4) - Not affected
Package: python-werkzeug (Red Hat Open
No detection rules found.
No public exploits indexed.
2020-11-18
Published