Описание
Werkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable. Werkzeug version 3.0.6 contains a patch.
| Релиз | Статус | Примечание |
|---|---|---|
| devel | not-affected | windows-specific |
| esm-infra/bionic | not-affected | windows-specific |
| esm-infra/focal | not-affected | windows-specific |
| esm-infra/xenial | not-affected | windows-specific |
| focal | not-affected | windows-specific |
| jammy | not-affected | windows-specific |
| noble | not-affected | windows-specific |
| oracular | not-affected | windows-specific |
| upstream | not-affected | debian: Windows-specific |
Показывать по
Ссылки на источники
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
Werkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable. Werkzeug version 3.0.6 contains a patch.
Werkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable. Werkzeug version 3.0.6 contains a patch.
Werkzeug is a Web Server Gateway Interface web application library. On ...
EPSS
5.3 Medium
CVSS3