search

pallets / werkzeug

The comprehensive WSGI web application library.
https://werkzeug.palletsprojects.com
BSD 3-Clause "New" or "Revised" License
6.63k stars 1.73k forks source link

CVE-2024-34069 for version 2 #2915

Closed lewijw closed 3 months ago

lewijw commented 3 months ago

The commit that fixed CVE-2024-34069 is: https://github.com/pallets/werkzeug/commit/3386395b24c7371db11a5b8eaac0c91da5362692

Is there any possibility of getting this in version 2? I ask because Airflow is having difficulties in upgrading to Connexion 3 which is apparently needed to go to version 3 of Werkzeug. Hopefully, that will change, but until then, it would be helpful to get the fix into version 2.

Thanks for considering this.

ThiefMaster commented 3 months ago

You can safely ignore that CVE since the debugger is purely a dev tool, and even in development you can simply disable it if you believe that the vulnerability is actually a problem for you(r developers).

davidism commented 3 months ago

We only support the latest feature branch, which is currently 3.0.x.

That CVE's score does not represent its applicability. As its description says, you would need to be running the dev server (so this wouldn't be applicable in production), be on a network that allows DNS to resolve to localhost (enterprises may disallow this already), interact with an attacker's domain, enter the debugger pin after doing that, and the attacker would need to know a route in your application that raises an unhandled exception.

lewijw commented 3 months ago

@ThiefMaster and @davidism, thanks for the quick reply. I appreciate your comments that this can be ignored, but unfortunately customers that run scans see these issues and get excited. It is preferable if they not show up at all.

Thanks again for your consideration even if you decide not to patch version 2.

lewijw commented 3 months ago

@ThiefMaster and @davidism, I am willing to submit a PR if it would help.

davidism commented 3 months ago

customers that run scans see these issues and get excited. It is preferable if they not show up at all.

Yes, this is a general problem with the CVE system, users lack context or expertise to actually make calls about things, so the only metric left to them is "no messages at all", which is not realistic or helpful. If they're a customer, presumably they are not a developer, and so the debugger would not be enabled for them. You can explain this to them so they can add an ignore rule to their scanner.