CVE-2024-49766 — Path Traversal in Werkzeug

CWE-22 — Path Traversal8 documents7 sources

Severity

6.3MEDIUMNVD

EPSS

1.4%

top 19.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pallets Werkzeug Palletsprojects Werkzeug

Timeline

PublishedOct 25

Latest updateJan 15

Description

Werkzeug is a Web Server Gateway Interface web application library. On Python = 3.11, or not using Windows, are not vulnerable. Werkzeug version 3.0.6 contains a patch.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

▶CVEListV5pallets/werkzeug< 3.0.6

▶NVDpalletsprojects/werkzeug< 3.0.6

▶PyPIpalletsprojects/werkzeug< 3.0.6

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2024-49766: Werkzeug is a Web Server Gateway Interface web application library↗2024-10-28

▶

OSV

Werkzeug safe_join not safe on Windows↗2024-10-25

▶

GHSA

Werkzeug safe_join not safe on Windows↗2024-10-25

▶

CVEList

Werkzeug safe_join not safe on Windows↗2024-10-25

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Risk Matrix: Configuration (Werkzeug) — CVE-2024-49766↗2025-01-15

▶

Red Hat

werkzeug: python-werkzeug: Werkzeug safe_join not safe on Windows↗2024-10-25

▶

Debian

CVE-2024-49766: python-werkzeug - Werkzeug is a Web Server Gateway Interface web application library. On Python < ...↗2024

▶