CVE-2019-14806
published 2019-08-09CVE-2019-14806: Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id.
PriorityP338high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
2.29%
81.0th percentile
Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-werkzeug | < python-werkzeug 0.15.6+dfsg1-1 (bookworm) | python-werkzeug 0.15.6+dfsg1-1 (bookworm) |
| opensuse | leap | — | — |
| opensuse | leap | — | — |
| palletsprojects | werkzeug | < 0.15.3 | 0.15.3 |
| palletsprojects | werkzeug | >= 0 < 0.15.3 | 0.15.3 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.5HIGH
vendor_debian7.5LOW
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Werkzeug vulnerabilities
vendor_ubuntu·2020-12-01·CVSS 7.5
CVE-2020-28724 [HIGH] Werkzeug vulnerabilities
Title: Werkzeug vulnerabilities
Summary: Several security issues were fixed in Werkzeug.
It was discovered that Werkzeug has insufficient debugger PIN randomness.
An attacker could use this issue to access sensitive information. This issue only
affected Ubuntu 18.04 LTS. (CVE-2019-14806)
It was discovered that Werkzeug incorrectly handled certain URLs.
An attacker could possibly use this issue to cause pishing attacks.
This issue only affected Ubuntu 16.04 LTS. (CVE-2020-28724)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
python-werkzeug: insufficient debugger PIN randomness vulnerability
vendor_redhat·2019-08-09·CVSS 7.5
CVE-2019-14806 [HIGH] CWE-330 python-werkzeug: insufficient debugger PIN randomness vulnerability
python-werkzeug: insufficient debugger PIN randomness vulnerability
Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id.
Statement: While Red Hat Quay contains a vulnerable version of python-werkzeug in the quay container image, use of the debug feature is not recommended in any upstream or downstream documentation. A user of Red Hat Quay would have to enable python-werkzeug debugging before Red Hat Quay became vulnerable.
This issue did not affect the versions of python-werkzeug as shipped with Red Hat Update Infrastructure as they did not include support for PIN based authentication. The same is true for the versions of python-werkzeug as shipped with Red Hat Enterprise Linux 8.
Red Hat Sate
Debian
CVE-2019-14806: python-werkzeug - Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger...
vendor_debian·2019·CVSS 7.5
CVE-2019-14806 [HIGH] CVE-2019-14806: python-werkzeug - Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger...
Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id.
Scope: local
bookworm: resolved (fixed in 0.15.6+dfsg1-1)
bullseye: resolved (fixed in 0.15.6+dfsg1-1)
forky: resolved (fixed in 0.15.6+dfsg1-1)
sid: resolved (fixed in 0.15.6+dfsg1-1)
trixie: resolved (fixed in 0.15.6+dfsg1-1)
OSV
python-werkzeug vulnerabilities
osv·2020-12-01·CVSS 7.5
CVE-2019-14806 [HIGH] python-werkzeug vulnerabilities
python-werkzeug vulnerabilities
It was discovered that Werkzeug has insufficient debugger PIN randomness.
An attacker could use this issue to access sensitive information. This issue only
affected Ubuntu 18.04 LTS. (CVE-2019-14806)
It was discovered that Werkzeug incorrectly handled certain URLs.
An attacker could possibly use this issue to cause pishing attacks.
This issue only affected Ubuntu 16.04 LTS. (CVE-2020-28724)
OSV
Pallets Werkzeug Insufficient Entropy
osv·2019-08-21
CVE-2019-14806 [HIGH] Pallets Werkzeug Insufficient Entropy
Pallets Werkzeug Insufficient Entropy
Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id.
GHSA
Pallets Werkzeug Insufficient Entropy
ghsa·2019-08-21
CVE-2019-14806 [HIGH] CWE-331 Pallets Werkzeug Insufficient Entropy
Pallets Werkzeug Insufficient Entropy
Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id.
OSV
CVE-2019-14806: Pallets Werkzeug before 0
osv·2019-08-09·CVSS 7.5
CVE-2019-14806 [HIGH] CVE-2019-14806: Pallets Werkzeug before 0
Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-14806 python-werkzeug: insufficient debugger PIN randomness vulnerability [openstack-rdo]
bugzilla·2019-11-13·CVSS 7.5
CVE-2019-14806 [HIGH] CVE-2019-14806 python-werkzeug: insufficient debugger PIN randomness vulnerability [openstack-rdo]
CVE-2019-14806 python-werkzeug: insufficient debugger PIN randomness vulnerability [openstack-rdo]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of openstack-rdo.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Updated to 1.0.
Bugzilla
CVE-2019-14806 python-werkzeug: insufficient debugger PIN randomness vulnerability
bugzilla·2019-11-12·CVSS 7.5
CVE-2019-14806 [HIGH] CVE-2019-14806 python-werkzeug: insufficient debugger PIN randomness vulnerability
CVE-2019-14806 python-werkzeug: insufficient debugger PIN randomness vulnerability
A vulnerability was found in Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id.
Reference:
https://github.com/pallets/werkzeug/commit/00bc43b1672e662e5e3b8cecd79e67fc968fa246
https://github.com/pallets/werkzeug/blob/7fef41b120327d3912fbe12fb64f1951496fcf3e/src/werkzeug/debug/__init__.py#L168
https://palletsprojects.com/blog/werkzeug-0-15-3-released/
Discussion:
Created python-werkzeug tracking bugs for this issue:
Affects: epel-6 [bug 1771362]
Affects: fedora-all [bug 1771361]
---
Created python-werkzeug tracking bugs for this issue:
Affects: openstack-rdo [bug 1771832]
---
External References:
https:
Bugzilla
CVE-2019-14806 python-werkzeug: insufficient debugger PIN randomness vulnerability [epel-6]
bugzilla·2019-11-12·CVSS 7.5
CVE-2019-14806 [HIGH] CVE-2019-14806 python-werkzeug: insufficient debugger PIN randomness vulnerability [epel-6]
CVE-2019-14806 python-werkzeug: insufficient debugger PIN randomness vulnerability [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to
Bugzilla
CVE-2019-14806 python-werkzeug: insufficient debugger PIN randomness vulnerability [fedora-all]
bugzilla·2019-11-12·CVSS 7.5
CVE-2019-14806 [HIGH] CVE-2019-14806 python-werkzeug: insufficient debugger PIN randomness vulnerability [fedora-all]
CVE-2019-14806 python-werkzeug: insufficient debugger PIN randomness vulnerability [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00034.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-09/msg00047.htmlhttps://github.com/pallets/werkzeug/blob/7fef41b120327d3912fbe12fb64f1951496fcf3e/src/werkzeug/debug/__init__.py#L168https://github.com/pallets/werkzeug/commit/00bc43b1672e662e5e3b8cecd79e67fc968fa246https://palletsprojects.com/blog/werkzeug-0-15-3-released/http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00034.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-09/msg00047.htmlhttps://github.com/pallets/werkzeug/blob/7fef41b120327d3912fbe12fb64f1951496fcf3e/src/werkzeug/debug/__init__.py#L168https://github.com/pallets/werkzeug/commit/00bc43b1672e662e5e3b8cecd79e67fc968fa246https://palletsprojects.com/blog/werkzeug-0-15-3-released/
2019-08-09
Published