#VU30827 Insufficient Entropy in Werkzeug - CVE-2019-14806


| Updated: 2020-07-17

Vulnerability identifier: #VU30827

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-14806

CWE-ID: CWE-331

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Werkzeug
Web applications / JS libraries

Vendor: The Pallets Projects

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Werkzeug: 0.15.0 - 0.15.2

External links
https://lists.opensuse.org/opensuse-security-announce/2019-09/msg00034.html
https://lists.opensuse.org/opensuse-security-announce/2019-09/msg00047.html
https://github.com/pallets/werkzeug/blob/7fef41b120327d3912fbe12fb64f1951496fcf3e/src/werkzeug/debug/__init__.py#L168
https://github.com/pallets/werkzeug/commit/00bc43b1672e662e5e3b8cecd79e67fc968fa246
https://palletsprojects.com/blog/werkzeug-0-15-3-released/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Cloud Pak for Data System
Multiple vulnerabilities in IBM SOAR QRadar Plugin App
SUSE update for python-Werkzeug
Ubuntu update for python-werkzeug
OpenSUSE Linux update for python-Werkzeug
OpenSUSE Linux update for python-Werkzeug
Insufficient Entropy in Werkzeug