Bug 2321828 (CVE-2024-49766)

Summary: CVE-2024-49766 werkzeug: python-werkzeug: Werkzeug safe_join not safe on Windows
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amctagga, aoconnor, bdettelb, bniver, brking, doconnor, eglynn, flucifre, gmeno, haoli, hkataria, jcammara, jjoyce, jmitchel, jneedle, jschluet, kegrant, koliveir, kshier, lhh, lsvaty, mabashia, mbenjamin, mburns, mgarciac, mhackett, pbraun, pgrist, shvarugh, simaishi, smcdonal, sostapov, stcannon, teagle, tfister, thavo, vereddy, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Werkzeug. In Python versions below v3.11 on Windows, os.path.isabs() does not catch UNC paths such as `//server/share`. Werkzeug's safe_join() relies on this check and can produce a path that is not safe, which can allow unintended access to data.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2024-10-25 20:00:58 UTC 
Werkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable. Werkzeug version 3.0.6 contains a patch.