cvelistv5 - CVE-2023-30797

CVE-2023-30797 (GCVE-0-2023-30797)

Vulnerability from cvelistv5 – Published: 2023-04-19 19:10 – Updated: 2025-11-21 16:10

Summary

Netflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-330 - Use of Insufficiently Random Values

Assigner

VulnCheck

References

URL

Tags

	https://github.com/Netflix/security-bulletins/blo…	vendor-advisory
	https://github.com/Netflix/lemur/commit/666d85321…	patch
	https://github.com/Netflix/lemur/security/advisor…	vendor-advisory
	https://vulncheck.com/advisories/netflix-lemur-weak-rng	third-party-advisory

Impacted products

	Vendor	Product	Version
	Netflix	Lemur	Affected: 0 , < 1.3.2 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T14:37:15.447Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md"
          },
          {
            "tags": [
              "patch",
              "x_transferred"
            ],
            "url": "https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm"
          },
          {
            "tags": [
              "third-party-advisory",
              "x_transferred"
            ],
            "url": "https://vulncheck.com/advisories/netflix-lemur-weak-rng"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-30797",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-05T14:49:23.482600Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-330",
                "description": "CWE-330 Use of Insufficiently Random Values",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-05T14:50:36.951Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pypi.org/project/lemur/",
          "defaultStatus": "unaffected",
          "packageName": "lemur",
          "product": "Lemur",
          "repo": "https://github.com/Netflix/lemur",
          "vendor": "Netflix",
          "versions": [
            {
              "lessThan": "1.3.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:netflix:lemur:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.3.2",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "datePublic": "2023-02-28T15:41:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eNetflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur.\u003cbr\u003e\u003c/div\u003e"
            }
          ],
          "value": "Netflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-112",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-112 Brute Force"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-330",
              "description": "CWE-330 Use of Insufficiently Random Values",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-21T16:10:24.442Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vulncheck.com/advisories/netflix-lemur-weak-rng"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Insecure Random Generation in Netflix Lemur",
      "x_generator": {
        "engine": "vulncheck"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2023-30797",
    "datePublished": "2023-04-19T19:10:12.523Z",
    "dateReserved": "2023-04-18T10:31:45.962Z",
    "dateUpdated": "2025-11-21T16:10:24.442Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:netflix:lemur:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.3.2\", \"matchCriteriaId\": \"AA02A184-ED2B-4577-BAB1-1B536179C263\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"\\n\\nNetflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur.\\n\\n\\n\"}]",
      "id": "CVE-2023-30797",
      "lastModified": "2024-11-21T08:00:55.260",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"disclosure@vulncheck.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}",
      "published": "2023-04-19T20:15:12.377",
      "references": "[{\"url\": \"https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238\", \"source\": \"disclosure@vulncheck.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm\", \"source\": \"disclosure@vulncheck.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md\", \"source\": \"disclosure@vulncheck.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://vulncheck.com/advisories/netflix-lemur-weak-rng\", \"source\": \"disclosure@vulncheck.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://vulncheck.com/advisories/netflix-lemur-weak-rng\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "disclosure@vulncheck.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"disclosure@vulncheck.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-330\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-330\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-30797\",\"sourceIdentifier\":\"disclosure@vulncheck.com\",\"published\":\"2023-04-19T20:15:12.377\",\"lastModified\":\"2025-11-21T17:15:47.947\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Netflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-330\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-330\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-330\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netflix:lemur:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.3.2\",\"matchCriteriaId\":\"AA02A184-ED2B-4577-BAB1-1B536179C263\"}]}]}],\"references\":[{\"url\":\"https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238\",\"source\":\"disclosure@vulncheck.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm\",\"source\":\"disclosure@vulncheck.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md\",\"source\":\"disclosure@vulncheck.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://vulncheck.com/advisories/netflix-lemur-weak-rng\",\"source\":\"disclosure@vulncheck.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://vulncheck.com/advisories/netflix-lemur-weak-rng\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238\", \"tags\": [\"patch\", \"x_transferred\"]}, {\"url\": \"https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"https://vulncheck.com/advisories/netflix-lemur-weak-rng\", \"tags\": [\"third-party-advisory\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T14:37:15.447Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-30797\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-05T14:49:23.482600Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-330\", \"description\": \"CWE-330 Use of Insufficiently Random Values\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-05T14:50:21.800Z\"}}], \"cna\": {\"title\": \"Insecure Random Generation in Netflix Lemur\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-112\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-112 Brute Force\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/Netflix/lemur\", \"vendor\": \"Netflix\", \"product\": \"Lemur\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.3.2\", \"versionType\": \"semver\"}], \"packageName\": \"lemur\", \"collectionURL\": \"https://pypi.org/project/lemur/\", \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2023-02-28T15:41:00.000Z\", \"references\": [{\"url\": \"https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://vulncheck.com/advisories/netflix-lemur-weak-rng\", \"tags\": [\"third-party-advisory\"]}], \"x_generator\": {\"engine\": \"vulncheck\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Netflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eNetflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur.\u003cbr\u003e\u003c/div\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-330\", \"description\": \"CWE-330 Use of Insufficiently Random Values\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:netflix:lemur:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"1.3.2\", \"versionStartIncluding\": \"0\"}], \"operator\": \"OR\"}], \"operator\": \"OR\"}], \"providerMetadata\": {\"orgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"shortName\": \"VulnCheck\", \"dateUpdated\": \"2025-11-21T16:10:24.442Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-30797\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-21T16:10:24.442Z\", \"dateReserved\": \"2023-04-18T10:31:45.962Z\", \"assignerOrgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"datePublished\": \"2023-04-19T19:10:12.523Z\", \"assignerShortName\": \"VulnCheck\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GSD-2023-30797

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2023-30797

Aliases

CVE-2023-30797

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-30797",
    "id": "GSD-2023-30797"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-30797"
      ],
      "details": "\n\nNetflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur.\n\n\n",
      "id": "GSD-2023-30797",
      "modified": "2023-12-13T01:20:52.007624Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "disclosure@vulncheck.com",
        "ID": "CVE-2023-30797",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Lemur",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "0",
                          "version_value": "\u003c1.3.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Netflix"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "\n\nNetflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur.\n\n\n"
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.1.0-dev"
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-330",
                "lang": "eng",
                "value": "CWE-330 Use of Insufficiently Random Values"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md",
            "refsource": "MISC",
            "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md"
          },
          {
            "name": "https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238",
            "refsource": "MISC",
            "url": "https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238"
          },
          {
            "name": "https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm",
            "refsource": "MISC",
            "url": "https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm"
          },
          {
            "name": "https://vulncheck.com/advisories/netflix-lemur-weak-rng",
            "refsource": "MISC",
            "url": "https://vulncheck.com/advisories/netflix-lemur-weak-rng"
          }
        ]
      },
      "source": {
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c1.3.2",
          "affected_versions": "All versions before 1.3.2",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-330",
            "CWE-937"
          ],
          "date": "2023-05-01",
          "description": "\n\nNetflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur.\n\n\n",
          "fixed_versions": [
            "1.3.2"
          ],
          "identifier": "CVE-2023-30797",
          "identifiers": [
            "CVE-2023-30797",
            "GHSA-5fqv-mpj8-h7gm"
          ],
          "not_impacted": "All versions starting from 1.3.2",
          "package_slug": "pypi/lemur",
          "pubdate": "2023-04-19",
          "solution": "Upgrade to version 1.3.2 or above.",
          "title": "Use of Insufficiently Random Values",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2023-30797",
            "https://vulncheck.com/advisories/netflix-lemur-weak-rng",
            "https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238",
            "https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm",
            "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md"
          ],
          "uuid": "61d7f7fa-d4c3-4178-aa52-6dbfcba21bc1"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:netflix:lemur:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.3.2",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "disclosure@vulncheck.com",
          "ID": "CVE-2023-30797"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "\n\nNetflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur.\n\n\n"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-330"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://vulncheck.com/advisories/netflix-lemur-weak-rng",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://vulncheck.com/advisories/netflix-lemur-weak-rng"
            },
            {
              "name": "https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238"
            },
            {
              "name": "https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm"
            },
            {
              "name": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-05-01T19:55Z",
      "publishedDate": "2023-04-19T20:15Z"
    }
  }
}

FKIE_CVE-2023-30797

Vulnerability from fkie_nvd - Published: 2023-04-19 20:15 - Updated: 2025-11-21 17:15

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
disclosure@vulncheck.com	https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238	Patch
disclosure@vulncheck.com	https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm	Vendor Advisory
disclosure@vulncheck.com	https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md	Vendor Advisory
disclosure@vulncheck.com	https://vulncheck.com/advisories/netflix-lemur-weak-rng	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://vulncheck.com/advisories/netflix-lemur-weak-rng	Third Party Advisory

Impacted products

	Vendor	Product	Version
	netflix	lemur	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:netflix:lemur:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AA02A184-ED2B-4577-BAB1-1B536179C263",
              "versionEndExcluding": "1.3.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Netflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur."
    }
  ],
  "id": "CVE-2023-30797",
  "lastModified": "2025-11-21T17:15:47.947",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "disclosure@vulncheck.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2023-04-19T20:15:12.377",
  "references": [
    {
      "source": "disclosure@vulncheck.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238"
    },
    {
      "source": "disclosure@vulncheck.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm"
    },
    {
      "source": "disclosure@vulncheck.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md"
    },
    {
      "source": "disclosure@vulncheck.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://vulncheck.com/advisories/netflix-lemur-weak-rng"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://vulncheck.com/advisories/netflix-lemur-weak-rng"
    }
  ],
  "sourceIdentifier": "disclosure@vulncheck.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-330"
        }
      ],
      "source": "disclosure@vulncheck.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-330"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-330"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

GHSA-R4XG-4WRV-W72H

Vulnerability from github – Published: 2023-04-19 21:30 – Updated: 2024-09-30 18:51

Summary

Duplicate Advisory: Lemur subject to insecure random generation

Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-5fqv-mpj8-h7gm. This link is maintained to preserve external references.

Original Description

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "lemur"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-330"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-30T18:51:02Z",
    "nvd_published_at": "2023-04-19T20:15:12Z",
    "severity": "HIGH"
  },
  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-5fqv-mpj8-h7gm. This link is maintained to preserve external references.\n\n## Original Description\nNetflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur.\n\n\n",
  "id": "GHSA-r4xg-4wrv-w72h",
  "modified": "2024-09-30T18:51:02Z",
  "published": "2023-04-19T21:30:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30797"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md"
    },
    {
      "type": "WEB",
      "url": "https://vulncheck.com/advisories/netflix-lemur-weak-rng"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Duplicate Advisory: Lemur subject to insecure random generation",
  "withdrawn": "2024-09-30T18:51:02Z"
}

GHSA-5FQV-MPJ8-H7GM

Vulnerability from github – Published: 2023-03-01 18:05 – Updated: 2024-09-30 19:44

Summary

Lemur subject to insecure random generation

Details

Overview

Lemur was using insecure random generation for its example configuration file, as well as for some utilities.

Impact

The potentially affected generated items include:

Configuration item	Config option name (if applicable)	Documentation link (if applicable)	Rotation option	Code reference(s)
Flask session secret	`SECRET_KEY`	Flask documentation	Generate a new secret and place in config; all existing sessions will be invalidated	N/A, internal to Flask
Lemur token secret	`LEMUR_TOKEN_SECRET`	Lemur's configuration documentation	Generate a new secret and place in config; all existing JWTs will be invalidated and must be regenerated (including API keys)	1, 2
Lemur database encryption key	`LEMUR_ENCRYPTION_KEYS`	Lemur's configuration documentation	A new key can be generated and added to this list, but existing data encrypted with prior keys cannot be re-encrypted unless you write a custom re-encryption process	1
OAuth2 state token secret key	`OAUTH_STATE_TOKEN_SECRET`	Lemur's configuration documentation	Generate a new secret and place in config	1
Randomly generated passphrases for openssl keystores	N/A, generated at runtime but persisted	N/A	Re-export all openssl keystores and replace them wherever they're in use	1
Initial password for LDAP users	N/A, generated at runtime but persisted	N/A	N/A, cannot be rotated*	1
Initial password for Ping/OAuth2 users	N/A, generated at runtime but persisted	N/A	N/A, cannot be rotated*	1
Oauth2 nonce	N/A, short-lived runtime secret	N/A	N/A, rotation is not required (these are short-lived)	1
Verisign certificate enrollment challenges	N/A, short-lived runtime secret	N/A	N/A, rotation is not required (these are short-lived)	1

If your deployment of Lemur is using any of the above config secrets that were generated by Lemur's example config (i.e., generated using insecure randomness), you should rotate those config secrets. If you generated your config secrets in a more secure way, they are not known to be compromised, but you should still upgrade Lemur to ensure that you receive code fixes for the runtime-generated secrets.

For general information and guidance on Lemur secret configuration, see Lemur's configuration documentation, which includes information on many of the configuration options listed above.

*For the user passwords: Even though these users are configured to use SSO, they do get generated with valid database passwords that can be used to log in. Since Lemur doesn't have an option to change passwords (#3888), one option for rotating them would be to directly modify the value in the database to some other unguessable string (you do not need to know the plaintext password since it won't be used).

Patches

The patch is available in v1.3.2.

Workarounds

No workarounds are available.

References

N/A

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

8.7 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "lemur"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-30797"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-330"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-01T18:05:56Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Overview\nLemur was using insecure random generation for its example configuration file, as well as for some utilities.\n\n### Impact\nThe potentially affected generated items include:\n\n| Configuration item      | Config option name (if applicable) | Documentation link (if applicable) | Rotation option | Code reference(s) |\n| ----------- | ----------- | ----------- | ----------- |----------- |\n| Flask session secret      | `SECRET_KEY`       | [Flask documentation](https://flask.palletsprojects.com/en/2.2.x/config/#SECRET_KEY) | Generate a new secret and place in config; all existing sessions will be invalidated | N/A, internal to Flask |\n| Lemur token secret | `LEMUR_TOKEN_SECRET` | [Lemur\u0027s configuration documentation](https://lemur.readthedocs.io/en/latest/administration.html#configuration) | Generate a new secret and place in config; all existing JWTs will be invalidated and must be regenerated (including API keys) | [1](https://github.com/Netflix/lemur/blob/1b61194a936240103f3c23299f9512c2b7e0fd36/lemur/auth/service.py#L79), [2](https://github.com/Netflix/lemur/blob/1b61194a936240103f3c23299f9512c2b7e0fd36/lemur/auth/service.py#L105) |\n| Lemur database encryption key | `LEMUR_ENCRYPTION_KEYS` | [Lemur\u0027s configuration documentation](https://lemur.readthedocs.io/en/latest/administration.html#configuration) | A new key can be generated and added to this list, but existing data encrypted with prior keys cannot be re-encrypted unless you write a custom re-encryption process | [1](https://github.com/Netflix/lemur/blob/3783fbeaa1645bbee022827f4f53ffb12dd65a61/lemur/utils.py#L58) |\n| OAuth2 state token secret key | `OAUTH_STATE_TOKEN_SECRET` | [Lemur\u0027s configuration documentation](https://lemur.readthedocs.io/en/latest/administration.html#configuration) | Generate a new secret and place in config | [1](https://github.com/Netflix/lemur/blob/4b03baaf5544f167e78055bab15a903b1badf22b/lemur/auth/views.py#L267) |\n| Randomly generated passphrases for openssl keystores | N/A, generated at runtime but persisted |N/A | Re-export all openssl keystores and replace them wherever they\u0027re in use | [1](https://github.com/Netflix/lemur/blob/2603776e5c0ac25fa0103ff1357dea391d880160/lemur/plugins/lemur_openssl/plugin.py#L129) |\n| Initial password for LDAP users | N/A, generated at runtime but persisted | N/A | N/A, cannot be rotated* | [1](https://github.com/Netflix/lemur/blob/3783fbeaa1645bbee022827f4f53ffb12dd65a61/lemur/auth/ldap.py#L66) |\n| Initial password for Ping/OAuth2 users | N/A, generated at runtime but persisted |N/A | N/A, cannot be rotated* | [1](https://github.com/Netflix/lemur/blob/4b03baaf5544f167e78055bab15a903b1badf22b/lemur/auth/views.py#L234) |\n| Oauth2 nonce | N/A, short-lived runtime secret |N/A | N/A, rotation is not required (these are short-lived) | [1](https://github.com/Netflix/lemur/blob/4b03baaf5544f167e78055bab15a903b1badf22b/lemur/auth/views.py#L668) |\n| Verisign certificate enrollment challenges | N/A, short-lived runtime secret | N/A | N/A, rotation is not required (these are short-lived) | [1](https://github.com/Netflix/lemur/blob/d4af5af99cd51016579f015d79df649c68a6ad15/lemur/plugins/lemur_verisign/plugin.py#L107) |\n\nIf your deployment of Lemur is using any of the above config secrets that were _generated by Lemur\u0027s example config_ (i.e., generated using insecure randomness), you should rotate those config secrets. If you generated your config secrets in a more secure way, they are not known to be compromised, but you should still upgrade Lemur to ensure that you receive code fixes for the runtime-generated secrets.\n\nFor general information and guidance on Lemur secret configuration, see [Lemur\u0027s configuration documentation](https://lemur.readthedocs.io/en/latest/administration.html#configuration), which includes information on many of the configuration options listed above.\n\n*For the user passwords: Even though these users are configured to use SSO, they do get generated with valid database passwords that can be used to log in. Since Lemur doesn\u0027t have an option to change passwords (#3888), one option for rotating them would be to directly modify the value in the database to some other unguessable string (you do not need to know the plaintext password since it won\u0027t be used).\n\n### Patches\nThe patch is available in v1.3.2.\n\n### Workarounds\nNo workarounds are available.\n\n### References\nN/A",
  "id": "GHSA-5fqv-mpj8-h7gm",
  "modified": "2024-09-30T19:44:46Z",
  "published": "2023-03-01T18:05:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30797"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Netflix/lemur/issues/3888"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Netflix/lemur"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/lemur/PYSEC-2023-20.yaml"
    },
    {
      "type": "WEB",
      "url": "https://vulncheck.com/advisories/netflix-lemur-weak-rng"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Lemur subject to insecure random generation"
}

PYSEC-2023-20

Vulnerability from pysec - Published: 2023-04-19 20:15 - Updated: 2023-05-04 03:49

Details

Impacted products

Name	purl
lemur	pkg:pypi/lemur

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "lemur",
        "purl": "pkg:pypi/lemur"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "666d853212174ee7f4e6f8b3b4b389ede1872238"
            }
          ],
          "repo": "https://github.com/Netflix/lemur",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.11.0",
        "0.2.1",
        "0.8.0",
        "0.8.1",
        "0.9.0",
        "1.0.0",
        "1.1.0",
        "1.2.0",
        "1.3.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2023-30797",
    "GHSA-5fqv-mpj8-h7gm"
  ],
  "details": "\n\nNetflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur.\n\n\n",
  "id": "PYSEC-2023-20",
  "modified": "2023-05-04T03:49:46.100234Z",
  "published": "2023-04-19T20:15:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://vulncheck.com/advisories/netflix-lemur-weak-rng"
    },
    {
      "type": "FIX",
      "url": "https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-30797 (GCVE-0-2023-30797)

GSD-2023-30797

FKIE_CVE-2023-30797

GHSA-R4XG-4WRV-W72H

Duplicate Advisory

Original Description

GHSA-5FQV-MPJ8-H7GM

Overview

Impact

Patches

Workarounds

References

PYSEC-2023-20

Tags

Sightings

Nomenclature