CVE-2023-30797

unknown

Published 2023-03-01 · Modified 2023-11-08

CVSS v3

—

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2

—

VIR risk

—

Description

Netflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur.

Predictions

Exploit likelihood

30%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.

Package impact

Ecosystem	Package	Vulnerable	Fixed
PyPI	lemur	`<1.3.2`	`1.3.2`
PyPI	lemur	`<666d853212174ee7f4e6f8b3b4b389ede1872238\|\|<1.3.2`	`666d853212174ee7f4e6f8b3b4b389ede1872238`

References

https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm
https://nvd.nist.gov/vuln/detail/CVE-2023-30797
https://github.com/Netflix/lemur/issues/3888
https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238
https://github.com/Netflix/lemur
https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md
https://github.com/pypa/advisory-database/tree/main/vulns/lemur/PYSEC-2023-20.yaml
https://vulncheck.com/advisories/netflix-lemur-weak-rng

Verify integrity in audit chain (admin only). AS-IS.