CVE-2024-34069
published 2024-05-06CVE-2024-34069: Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's…
PriorityP357high7.5CVSS 3.1
AVNACHPRNUIRSUCHIHAH
EXPLOIT
EPSS
3.40%
87.3th percentile
Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger. This vulnerability is fixed in 3.0.3.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | python-werkzeug | < python-werkzeug 2.2.2-3+deb12u1 (bookworm) | python-werkzeug 2.2.2-3+deb12u1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| msrc | azl3_python-tensorboard_2.16.2-6_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-werkzeug_3.0.1-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-werkzeug_3.0.3-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_tensorflow_2.16.1-9_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_python-tensorboard_2.11.0-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_python-werkzeug_2.3.7-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_python-werkzeug_2.3.7-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| pallets | werkzeug | < 3.0.3 | 3.0.3 |
| palletsprojects | werkzeug | < 3.0.3 | 3.0.3 |
| palletsprojects | werkzeug | >= 0 < 3.0.3 | 3.0.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →The Werkzeug debugger is exploitable when enabled in production/localhost environments; detect HTTP requests targeting the Werkzeug interactive debugger console endpoint (typically /__debugger__ or /console paths) as a sign of exploitation attempts. ↗
- →The attack requires the victim to interact with an attacker-controlled domain/subdomain and enter the debugger PIN — monitor for cross-origin requests to localhost debugger endpoints, which may indicate an active exploitation attempt via CSRF-style interaction. ↗
- →Werkzeug's debugger is also present in Flask and Django RunServerPlus extension deployments — broaden detection scope to include these frameworks when hunting for exposed debugger endpoints. ↗
- →The vulnerability is described as involving improper pathname handling and improper CSRF protection — alert on unauthenticated POST requests to debugger endpoints from non-localhost origins. ↗
- →The attacker must guess a URL in the target application that triggers the debugger — monitor for unusual 500-error-triggering requests followed by debugger console interaction from unexpected source IPs. ↗
- ·OpenShift Data Foundation (ODF) / Red Hat Ceph Storage is not impacted despite using an affected Werkzeug version, because the debugger is not configured or used in those deployments. ↗
- ·The vulnerability is fixed in Werkzeug 3.0.3; Debian stable (bookworm) backport fix is in 2.2.2-3+deb12u1 and bullseye fix is in 1.0.1+dfsg1-2+deb11u2 — version checks should account for these patched backport versions. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_oracle7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Oracle
Oracle Oracle Communications Risk Matrix: Install (Werkzeug) — CVE-2024-34069
vendor_oracle·2024-07-15·CVSS 7.5
CVE-2024-34069 [HIGH] Oracle Oracle Communications Risk Matrix: Install (Werkzeug) — CVE-2024-34069
Oracle Oracle Communications Risk Matrix: Install (Werkzeug) vulnerability
CVE: CVE-2024-34069
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2024 (JUL 2024)
Ubuntu
Werkzeug vulnerability
vendor_ubuntu·2024-05-29
CVE-2024-34069 Werkzeug vulnerability
Title: Werkzeug vulnerability
Summary: Werkzeug could be made to execute code under certain circumstances.
It was discovered that the debugger in Werkzeug was not restricted to
trusted hosts. A remote attacker could possibly use this issue to execute
code on the host under certain circumstances.
Instructions: In general, a standard system update will make all the necessary changes.
Microsoft
Werkzeug's improper usage of a pathname and improper CSRF protection results in the remote command execution
vendor_msrc·2024-05-14·CVSS 7.5
CVE-2024-34069 [HIGH] CWE-352 Werkzeug's improper usage of a pathname and improper CSRF protection results in the remote command execution
Werkzeug's improper usage of a pathname and improper CSRF protection results in the remote command execution
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Red Hat
python-werkzeug: user may execute code on a developer's machine
vendor_redhat·2024-05-06·CVSS 7.5
CVE-2024-34069 [HIGH] CWE-352 python-werkzeug: user may execute code on a developer's machine
python-werkzeug: user may execute code on a developer's machine
Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger. This vulnerability is fixed in 3.0.3.
A flaw was found in Werkzeug, where an attacker may be able to execute code on a developer's machine under some circumstances. This issue requires the attacker to
Debian
CVE-2024-34069: python-werkzeug - Werkzeug is a comprehensive WSGI web application library. The debugger in affect...
vendor_debian·2024·CVSS 7.5
CVE-2024-34069 [HIGH] CVE-2024-34069: python-werkzeug - Werkzeug is a comprehensive WSGI web application library. The debugger in affect...
Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger. This vulnerability is fixed in 3.0.3.
Scope: local
bookworm: resolved (fixed in 2.2.2-3+deb12u1)
bullseye: resolved (fixed in 1.0.1+dfsg1-2+deb11u2)
forky: resolved (fixed in 3.0.3-1)
sid: resolved (fixed in 3.0.3-1)
trixie: resolved (fixed in 3.0.3-1)
OSV
Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain
osv·2024-05-06
CVE-2024-34069 [HIGH] Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain
Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain
The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger.
OSV
CVE-2024-34069: Werkzeug is a comprehensive WSGI web application library
osv·2024-05-06·CVSS 7.5
CVE-2024-34069 [HIGH] CVE-2024-34069: Werkzeug is a comprehensive WSGI web application library
Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger. This vulnerability is fixed in 3.0.3.
GHSA
Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain
ghsa·2024-05-06
CVE-2024-34069 [HIGH] CWE-352 Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain
Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain
The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger.
No detection rules found.
No writeups or analysis indexed.
https://github.com/pallets/werkzeug/commit/3386395b24c7371db11a5b8eaac0c91da5362692https://github.com/pallets/werkzeug/security/advisories/GHSA-2g68-c3qc-8985https://lists.fedoraproject.org/archives/list/[email protected]/message/H4SH32AM3CTPMAAEOIDAN7VU565LO4IR/https://lists.fedoraproject.org/archives/list/[email protected]/message/HFERFN7PINV4MOGMGA3DPIXJPDCYOEJZ/https://security.netapp.com/advisory/ntap-20240614-0004/https://github.com/pallets/werkzeug/commit/3386395b24c7371db11a5b8eaac0c91da5362692https://github.com/pallets/werkzeug/security/advisories/GHSA-2g68-c3qc-8985https://lists.debian.org/debian-lts-announce/2025/02/msg00026.htmlhttps://lists.fedoraproject.org/archives/list/[email protected]/message/H4SH32AM3CTPMAAEOIDAN7VU565LO4IR/https://lists.fedoraproject.org/archives/list/[email protected]/message/HFERFN7PINV4MOGMGA3DPIXJPDCYOEJZ/https://security.netapp.com/advisory/ntap-20240614-0004/
2024-05-06
Published