CVE-2024-34069: Werkzeug's improper usage of a pathname and improper CSRF protection results in the remote command execution

Published May 6, 2024
·
Updated

The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger.

Other sources

Werkzeug's improper usage of a pathname and improper CSRF protection results in the remote command execution

Microsoft

Affected Software

19 affected componentsFixes available
ubuntu/python-werkzeug<0.14.1+dfsg1-1ubuntu0.2+
0.14.1+dfsg1-1ubuntu0.2+
ubuntu/python-werkzeug<0.16.1+dfsg1-2ubuntu0.2
0.16.1+dfsg1-2ubuntu0.2
ubuntu/python-werkzeug<2.0.2+dfsg1-1ubuntu0.22.04.2
2.0.2+dfsg1-1ubuntu0.22.04.2
ubuntu/python-werkzeug<2.2.2-3ubuntu0.1
2.2.2-3ubuntu0.1
ubuntu/python-werkzeug<3.0.1-3ubuntu0.1
3.0.1-3ubuntu0.1
ubuntu/python-werkzeug<0.10.4+dfsg1-1ubuntu1.2+
0.10.4+dfsg1-1ubuntu1.2+
debian/python-werkzeug<=1.0.1+dfsg1-2+deb11u1, <=2.2.2-3
3.0.3-1
pip/Werkzeug<3.0.3
3.0.3
IBM Watson Studio on Cloud Pak for Data<=4.0
IBM Watson Studio on Cloud Pak for Data<=5.0
redhat/python-werkzeug<3.0.3
3.0.3
palletsprojects Werkzeug<3.0.3
Debian Debian Linux=11.0
Fedoraproject Fedora=38
Fedoraproject Fedora=40
Microsoft azl3 python-werkzeug 3.0.3-1
Patch available
Microsoft cbl2 python-werkzeug 2.3.7-3
Patch available
Microsoft azl3 python-werkzeug 3.0.1-1
Patch available
Microsoft cbl2 python-werkzeug 2.3.7-2
Patch available

Remediation

Patch Available

https://github.com/pallets/werkzeug/commit/3386395b24c7371db11a5b8eaac0c91da5362692

Event History

May 6, 2024
CVE Published
via Ubuntu·12:00 AM
Advisory Published
via GitHub·02:21 PM
CVE Published
via MITRE·02:44 PM
Data Sourced
via MITRE·02:44 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·03:15 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·03:15 PM
RemedyAffected Software
May 7, 2024
Data Sourced
via Red Hat·05:36 AM
DescriptionSeverityAffected Software
May 13, 2024
Data Sourced
via Microsoft·07:00 AM
DescriptionSeverityWeakness
Data Sourced
via Microsoft·07:00 AM
Affected Software
Updated
via Microsoft·07:00 AM
Affected Software
Updated
via Microsoft·07:00 AM
DescriptionSeverity
Jun 26, 2024
Data Sourced
via Launchpad·05:55 PM
Description
Aug 28, 2025
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-34069?

CVE-2024-34069 has a critical severity level due to its potential to allow remote code execution.

2

How do I fix CVE-2024-34069?

To fix CVE-2024-34069, upgrade to the latest versions of python-werkzeug or Werkzeug as specified in the vendor advisories.

3

Which software is affected by CVE-2024-34069?

CVE-2024-34069 affects various versions of python-werkzeug across multiple Ubuntu releases and other distributions like Debian and Red Hat.

4

Is CVE-2024-34069 a remote code execution vulnerability?

Yes, CVE-2024-34069 is a remote code execution vulnerability that can be exploited by an attacker to execute arbitrary code.

5

What are the implications of CVE-2024-34069?

The implications of CVE-2024-34069 include unauthorized access to systems and potential data breaches due to arbitrary code execution.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203