CVE-2024-49766

Public on 2024-10-25
Modified on 2024-10-29
Description
Werkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable. Werkzeug version 3.0.6 contains a patch.
Severity
Low severity
Low
CVSS v3 Base Score
3.7
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2023 python-werkzeug Not Affected

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N