Dependabot Security Alert
| Field |
Value |
| GHSA |
GHSA-f9vj-2wh5-fj8j |
| CVE |
CVE-2024-49766 |
| Severity |
medium |
| Package |
Werkzeug (pip) |
| Affected version |
runtime |
| Summary |
Werkzeug safe_join not safe on Windows |
| Repository |
Qbeast-io/qbeast-spark |
Description
On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.
Alert link
View on GitHub
Automatically created by the Vanta/Dependabot → ZenHub sync pipeline
GHSA: GHSA-f9vj-2wh5-fj8j
Dependabot Security Alert
GHSA-f9vj-2wh5-fj8jCVE-2024-49766mediumWerkzeug(pip)runtimeQbeast-io/qbeast-sparkDescription
On Python < 3.11 on Windows,
os.path.isabs()does not catch UNC paths like//server/share. Werkzeug'ssafe_join()relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.Alert link
View on GitHub
Automatically created by the Vanta/Dependabot → ZenHub sync pipeline
GHSA:
GHSA-f9vj-2wh5-fj8j