Main Vulnerability Database Vulnerabilities #VU26753

Insufficient Entropy in Werkzeug - #VU26753

Published: April 9, 2020

Vulnerability identifier: #VU26753

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-331

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: The Pallets Projects

Affected software:
Werkzeug

Detailed vulnerability description

The vulnerability allows a local attacker to gain access to sensitive information on the system.

The vulnerability exists due to the secure cookies created as part of "werkzeug.contrib.securecookie" are generate through weak hashing which deviates from security best practice. A local attacker can gain access to sensitive information on the target system.

Remediation

Install updates from vendor's website.

Sources

https://snyk.io/vuln/SNYK-PYTHON-WERKZEUG-564340
https://github.com/pallets/werkzeug/commit/84eabcaa81f60d47939ac2d43f01d01eeab598a4
https://github.com/pallets/werkzeug/blob/master/CHANGES.rst#version-031

Insufficient Entropy in Werkzeug - #VU26753

Detailed vulnerability description

Remediation

Sources

Please verify you're human