Main Vulnerability Database Vulnerabilities #VU26753

#VU26753 Insufficient Entropy in Werkzeug

Published: April 9, 2020

Vulnerability identifier: #VU26753

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-331

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
Werkzeug

Software vendor:
The Pallets Projects

Description

The vulnerability allows a local attacker to gain access to sensitive information on the system.

The vulnerability exists due to the secure cookies created as part of "werkzeug.contrib.securecookie" are generate through weak hashing which deviates from security best practice. A local attacker can gain access to sensitive information on the target system.

Remediation

Install updates from vendor's website.

External links

https://snyk.io/vuln/SNYK-PYTHON-WERKZEUG-564340
https://github.com/pallets/werkzeug/commit/84eabcaa81f60d47939ac2d43f01d01eeab598a4
https://github.com/pallets/werkzeug/blob/master/CHANGES.rst#version-031

#VU26753 Insufficient Entropy in Werkzeug

Description

Remediation

External links

Please verify you're human