CVE-2024-49766

Publication date 25 October 2024

Last updated 30 October 2024

Ubuntu priority

Werkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable. Werkzeug version 3.0.6 contains a patch.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
python-werkzeug	24.10 oracular	Not affected
	24.04 LTS noble	Not affected
	22.04 LTS jammy	Not affected
	20.04 LTS focal	Not affected
	18.04 LTS bionic	Not affected
	16.04 LTS xenial	Not affected

How can I get the fixes?
What do statuses mean?

Notes

mdeslaur

This is a Windows-specific CVE

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2024-49766
https://github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j
https://github.com/pallets/werkzeug/commit/87cc78a25f782f8c59fbde786840a00cf0d09b3d (3.0.6)
https://github.com/pallets/werkzeug/commit/2767bcb10a7dd1c297d812cc5e6d11a474c1f092
https://github.com/pallets/werkzeug/releases/tag/3.0.6