Insufficient Entropy in Werkzeug
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2019-14806 |
| CWE-ID | CWE-331 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Werkzeug Web applications / JS libraries |
| Vendor | The Pallets Projects |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Insufficient Entropy
EUVDB-ID: #VU30827
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-14806
CWE-ID:
CWE-331 - Insufficient Entropy
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id.
MitigationInstall update from vendor's website.
Vulnerable software versionsWerkzeug: 0.15.0 - 0.15.2
CPE2.3- cpe:2.3:a:palletsprojects:werkzeug:0.15.0:*:*:*:*:*:*:*
- cpe:2.3:a:palletsprojects:werkzeug:0.15.1:*:*:*:*:*:*:*
- cpe:2.3:a:palletsprojects:werkzeug:0.15.2:*:*:*:*:*:*:*
https://lists.opensuse.org/opensuse-security-announce/2019-09/msg00034.html
https://lists.opensuse.org/opensuse-security-announce/2019-09/msg00047.html
https://github.com/pallets/werkzeug/blob/7fef41b120327d3912fbe12fb64f1951496fcf3e/src/werkzeug/debug/__init__.py#L168
https://github.com/pallets/werkzeug/commit/00bc43b1672e662e5e3b8cecd79e67fc968fa246
https://palletsprojects.com/blog/werkzeug-0-15-3-released/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
