Insufficient Entropy in Werkzeug
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2019-14806 |
| CWE-ID | CWE-331 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Werkzeug Web applications / JS libraries |
| Vendor | The Pallets Projects |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Insufficient Entropy
EUVDB-ID: #VU30827
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-14806
CWE-ID:
CWE-331 - Insufficient Entropy
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id.
MitigationInstall update from vendor's website.
Vulnerable software versionsWerkzeug: 0.15.0 - 0.15.2
External linkshttp://lists.opensuse.org/opensuse-security-announce/2019-09/msg00034.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00047.html
http://github.com/pallets/werkzeug/blob/7fef41b120327d3912fbe12fb64f1951496fcf3e/src/werkzeug/debug/__init__.py#L168
http://github.com/pallets/werkzeug/commit/00bc43b1672e662e5e3b8cecd79e67fc968fa246
http://palletsprojects.com/blog/werkzeug-0-15-3-released/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
