CVE-2024-49766 (Low) detected in Werkzeug-2.2.3-py3-none-any.whl - autoclosed

[mend-for-github-com[bot]]

CVE-2024-49766 - Low Severity Vulnerability

Vulnerable Library - Werkzeug-2.2.3-py3-none-any.whl

The comprehensive WSGI web application library.

Library home page: https://files.pythonhosted.org/packages/f6/f8/9da63c1617ae2a1dec2fbf6412f3a0cfe9d4ce029eccbda6e1e4258ca45f/Werkzeug-2.2.3-py3-none-any.whl

Path to dependency file: /contrib/EdgeXfoundry/app/requirements.txt

Path to vulnerable library: /contrib/EdgeXfoundry/app/requirements.txt

Dependency Hierarchy: - Flask-1.1.2-py2.py3-none-any.whl (Root Library) - :x: **Werkzeug-2.2.3-py3-none-any.whl** (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Werkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable. Werkzeug version 3.0.6 contains a patch.

Publish Date: 2024-10-25

URL: CVE-2024-49766

CVSS 3 Score Details (3.7)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j

Release Date: 2024-10-25

Fix Resolution: Werkzeug - 3.0.6

[mend-for-github-com[bot]]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.