Security Advisories

CGA-mmv2-q2vv-5j43

Published

Last updated

https://images.chainguard.dev/security/CGA-mmv2-q2vv-5j43

Package

superset

Latest Update

Fixed

Fixed Version

4.0.1-r0

Aliases

CVE-2024-34069
GHSA-2g68-c3qc-8985

Severity

7.5

High

CVSS V3

Summary

Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain

Description

The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-34069
https://github.com/advisories/GHSA-2g68-c3qc-8985
https://github.com/pallets/werkzeug/security/advisories/GHSA-2g68-c3qc-8985
https://github.com/pallets/werkzeug/commit/3386395b24c7371db11a5b8eaac0c91da5362692
https://github.com/pallets/werkzeug
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H4SH32AM3CTPMAAEOIDAN7VU565LO4IR
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HFERFN7PINV4MOGMGA3DPIXJPDCYOEJZ
https://security.netapp.com/advisory/ntap-20240614-0004

Updates

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

CGA-mmv2-q2vv-5j43

Severity

Summary

Description

References

Updates

Product

Why Chainguard

Customers

Company

Resources