H3-2021-0037
Werkzeug Debug Console Enabled
Category | SECURITY_MISCONFIGURATION |
Base Score | 4.0 |
Description
Werkzeug is a popular framework for developing Python web applications. Werkzeug comes with a debugger that should not be enabled in production.
Impact
If the debugger is enabled without a PIN, attackers can easily use the Werkzeug debug console to run arbitrary commands on the host as the user running the vulnerable Python application. Even if remote code execution is not possible, attackers may still gain valuable information about the behavior of the application that can be used for other types of attacks.