cbcvebase.
CVE-2024-34069
published 2024-05-06

CVE-2024-34069: Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's…

PriorityP357high7.5CVSS 3.1
AVNACHPRNUIRSUCHIHAH
EXPLOIT
EPSS
3.40%
87.3th percentile
Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger. This vulnerability is fixed in 3.0.3.

Affected

18 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianpython-werkzeug< python-werkzeug 2.2.2-3+deb12u1 (bookworm)python-werkzeug 2.2.2-3+deb12u1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
msrcazl3_python-tensorboard_2.16.2-6_on_azure_linux_3.0
msrcazl3_python-werkzeug_3.0.1-1_on_azure_linux_3.0
msrcazl3_python-werkzeug_3.0.3-1_on_azure_linux_3.0
msrcazl3_tensorflow_2.16.1-9_on_azure_linux_3.0
msrcazure_linux_3.0_arm
msrcazure_linux_3.0_x64
msrccbl2_python-tensorboard_2.11.0-3_on_cbl_mariner_2.0
msrccbl2_python-werkzeug_2.3.7-2_on_cbl_mariner_2.0
msrccbl2_python-werkzeug_2.3.7-3_on_cbl_mariner_2.0
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
palletswerkzeug< 3.0.33.0.3
palletsprojectswerkzeug< 3.0.33.0.3
palletsprojectswerkzeug>= 0 < 3.0.33.0.3

Detection & IOCsextracted from sources · hover to see the quote

  • The Werkzeug debugger is exploitable when enabled in production/localhost environments; detect HTTP requests targeting the Werkzeug interactive debugger console endpoint (typically /__debugger__ or /console paths) as a sign of exploitation attempts.
  • The attack requires the victim to interact with an attacker-controlled domain/subdomain and enter the debugger PIN — monitor for cross-origin requests to localhost debugger endpoints, which may indicate an active exploitation attempt via CSRF-style interaction.
  • Werkzeug's debugger is also present in Flask and Django RunServerPlus extension deployments — broaden detection scope to include these frameworks when hunting for exposed debugger endpoints.
  • The vulnerability is described as involving improper pathname handling and improper CSRF protection — alert on unauthenticated POST requests to debugger endpoints from non-localhost origins.
  • The attacker must guess a URL in the target application that triggers the debugger — monitor for unusual 500-error-triggering requests followed by debugger console interaction from unexpected source IPs.
  • ·OpenShift Data Foundation (ODF) / Red Hat Ceph Storage is not impacted despite using an affected Werkzeug version, because the debugger is not configured or used in those deployments.
  • ·The vulnerability is fixed in Werkzeug 3.0.3; Debian stable (bookworm) backport fix is in 2.2.2-3+deb12u1 and bullseye fix is in 1.0.1+dfsg1-2+deb11u2 — version checks should account for these patched backport versions.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_oracle7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.