ALAS-2024-662

Amazon Linux 2023 Security Advisory: ALAS-2024-662
Advisory Release Date: 2024-07-18 01:24 Pacific
Advisory Updated Date: 2024-07-22 16:00 Pacific

Severity: Important

References: CVE-2024-34069
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger. This vulnerability is fixed in 3.0.3. (CVE-2024-34069)

Affected Packages:

python-werkzeug

Issue Correction:
Run dnf update python-werkzeug --releasever 2023.5.20240722 to update your system.

New Packages:

noarch:
    python3-werkzeug-1.0.1-5.amzn2023.0.5.noarch
    python3-werkzeug-doc-1.0.1-5.amzn2023.0.5.noarch

src:
    python-werkzeug-1.0.1-5.amzn2023.0.5.src

Additional References

Red Hat: CVE-2024-34069

Mitre: CVE-2024-34069

Select your cookie preferences

Customize cookie preferences

Essential

Performance

Functional

Advertising

ALAS-2024-662

Additional References