CVE-2024-34069 for version 2 #2915
Comments
|
You can safely ignore that CVE since the debugger is purely a dev tool, and even in development you can simply disable it if you believe that the vulnerability is actually a problem for you(r developers). |
|
We only support the latest feature branch, which is currently 3.0.x. That CVE's score does not represent its applicability. As its description says, you would need to be running the dev server (so this wouldn't be applicable in production), be on a network that allows DNS to resolve to localhost (enterprises may disallow this already), interact with an attacker's domain, enter the debugger pin after doing that, and the attacker would need to know a route in your application that raises an unhandled exception. |
|
@ThiefMaster and @davidism, thanks for the quick reply. I appreciate your comments that this can be ignored, but unfortunately customers that run scans see these issues and get excited. It is preferable if they not show up at all. Thanks again for your consideration even if you decide not to patch version 2. |
|
@ThiefMaster and @davidism, I am willing to submit a PR if it would help. |
Yes, this is a general problem with the CVE system, users lack context or expertise to actually make calls about things, so the only metric left to them is "no messages at all", which is not realistic or helpful. If they're a customer, presumably they are not a developer, and so the debugger would not be enabled for them. You can explain this to them so they can add an ignore rule to their scanner. |
The commit that fixed CVE-2024-34069 is:
3386395
Is there any possibility of getting this in version 2? I ask because Airflow is having difficulties in upgrading to Connexion 3 which is apparently needed to go to version 3 of Werkzeug. Hopefully, that will change, but until then, it would be helpful to get the fix into version 2.
Thanks for considering this.
The text was updated successfully, but these errors were encountered: