CVE-2019-14322

Vulnerability

Overview

The vulnerability resides in Werkzeug's SharedDataMiddleware component, which serves static files. On Windows, the middleware improperly handles path segments that include drive letters (e.g., C:). Due to the behavior of Python's os.path.join() on Windows, a segment containing a drive name resets the combined path to that drive, bypassing intended directory restrictions [4].

Exploitation

Prerequisites

An attacker must be able to craft HTTP requests targeting a Windows-based application using Werkzeug's SharedDataMiddleware to serve static files. No authentication is required; the attack leverages specially constructed URL paths containing drive letters (e.g., C:) to escape the document root [1][4].

Impact

Successful exploitation allows an unauthenticated remote attacker to read arbitrary files on the Windows filesystem that the application process has access to. The flaw was previously addressed in safe_join() in Werkzeug 0.12.2, but SharedDataMiddleware used a separate, unprotected implementation [4].

Mitigation

Status

The issue is fixed in Werkzeug version 0.15.5, released on 2019-07-17. The fix aligns SharedDataMiddleware to use safe_join(). All users running Werkzeug on Windows with versions prior to 0.15.5 should update immediately [4].