Main Vulnerability Database SB2020120122

SB2020120122 - Ubuntu update for python-werkzeug

Published: December 1, 2020 Updated: April 23, 2025

Security Bulletin ID SB2020120122

Severity

Medium

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Insufficient Entropy (CVE-ID: CVE-2019-14806)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id.

2) Open redirect (CVE-ID: CVE-2020-28724)

The vulnerability allows a remote attacker to redirect victims to arbitrary URL.

The vulnerability exists due to improper sanitization of user-supplied data within the double slash in the URL. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.

Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.

Remediation

Install update from vendor's website.

References

https://ubuntu.com/security/notices/USN-4655-1