Описание
Werkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable. Werkzeug version 3.0.6 contains a patch.
A flaw was found in Werkzeug. In Python versions below v3.11 on Windows, os.path.isabs() does not catch UNC paths such as //server/share. Werkzeug's safe_join() relies on this check and can produce a path that is not safe, which can allow unintended access to data.
Отчет
Red Hat is not affected by this vulnerability, as it is specific to applications using certain versions of Python on Windows.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ansible Automation Platform 2 | python3.11-werkzeug | Not affected | ||
| Red Hat Ceph Storage 5 | python-werkzeug | Not affected | ||
| Red Hat Ceph Storage 6 | python-werkzeug | Not affected | ||
| Red Hat Ceph Storage 7 | python-werkzeug | Not affected | ||
| Red Hat Enterprise Linux 8 | python-werkzeug | Not affected | ||
| Red Hat OpenShift Container Platform 4 | python-werkzeug | Not affected | ||
| Red Hat OpenStack Platform 16.2 | python-werkzeug | Not affected | ||
| Red Hat OpenStack Platform 17.1 | python-werkzeug | Not affected | ||
| Red Hat Quay 3 | quay/quay-rhel8 | Not affected | ||
| Red Hat Storage 3 | python-werkzeug | Not affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
3.7 Low
CVSS3
Связанные уязвимости
Werkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable. Werkzeug version 3.0.6 contains a patch.
Werkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable. Werkzeug version 3.0.6 contains a patch.
Werkzeug is a Web Server Gateway Interface web application library. On ...
EPSS
3.7 Low
CVSS3