Werkzeug Interactive Debugging is Active
Impact: Medium
Description
Werkzeug is a comprehensive WSGI web application library for the Python language. Werkzeug provides a WSGI middleware that renders nice tracebacks, optionally with an interactive debug console to execute code in any frame. This console functionality can be abused by attackers to run commands on the server.
Recommendation
Do not use the DebuggedApplication
on the production servers. And, make sure to pass False
as the use_debugger
value in the run_simple()
function call.
If you’re using Flask, set the FLASK_ENV
to production
in the environment variables.
References
- Werkzeug
- OWASP: Error Handling Cheat Sheet
- CWE-209
- CWE-200
- OWASP 2007-A6
- OWASP 2021-A1
- OWASP 2021-A4
👉 You might also like:
Detailed Application and Database Error - Vulnerability
Detailed Application Error - Vulnerability
Internal Server Error - Vulnerability
Application and Database Error - Vulnerability
Last updated on December 12, 2021