Vulnerability DatabaseCVE-2024-49766
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2024-49766
October 25, 2024
Werkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable. Werkzeug version 3.0.6 contains a patch.
Affected Packages
Werkzeug (PYTHON):
Affected version(s) >=0.1 <3.0.6
Fix Suggestion:
Update to version 3.0.6
Related Resources (7)
https://security.netapp.com/advisory/ntap-20250131-0005/
https://github.com/pallets/werkzeug/commit/2767bcb10a7dd1c297d812cc5e6d11a474c1f092
https://github.com/pallets/werkzeug
https://github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j
https://nvd.nist.gov/vuln/detail/CVE-2024-49766
https://security.netapp.com/advisory/ntap-20250131-0005
https://github.com/pallets/werkzeug/releases/tag/3.0.6
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.3
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
3.7
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
NONE
Availability
NONE
Weakness Type (CWE)
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-22
EPSS
Base Score:
1.03