CVE-2009-5014 - OpenCVE

The default quickstart configuration of TurboGears2 (aka tg2) before 2.0.2 has a weak cookie salt, which makes it easier for remote attackers to bypass repoze.who authentication via a forged authorization cookie, a related issue to CVE-2010-3852.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Turbogears	Turbogears2

Configuration 1 [-]

OR	cpe:2.3:a:turbogears:turbogears2::::::::
	cpe:2.3:a:turbogears:turbogears2:1.9.7a2:::::::*
	cpe:2.3:a:turbogears:turbogears2:1.9.7a3:::::::*
	cpe:2.3:a:turbogears:turbogears2:1.9.7a4:::::::*
	cpe:2.3:a:turbogears:turbogears2:1.9.7b1:::::::*
	cpe:2.3:a:turbogears:turbogears2:1.9.7b2:::::::*
	cpe:2.3:a:turbogears:turbogears2:2.0:rc1::::::
	cpe:2.3:a:turbogears:turbogears2:2.0.1:::::::*
	cpe:2.3:a:turbogears:turbogears2:2.0b1:::::::*
	cpe:2.3:a:turbogears:turbogears2:2.0b2:::::::*
	cpe:2.3:a:turbogears:turbogears2:2.0b3:::::::*
	cpe:2.3:a:turbogears:turbogears2:2.0b4:::::::*
	cpe:2.3:a:turbogears:turbogears2:2.0b5:::::::*
	cpe:2.3:a:turbogears:turbogears2:2.0b6:::::::*
	cpe:2.3:a:turbogears:turbogears2:2.0b7:::::::*
	cpe:2.3:a:turbogears:turbogears2:2.1a1:::::::*
	cpe:2.3:a:turbogears:turbogears2:2.1a2:::::::*
	cpe:2.3:a:turbogears:turbogears2:2.1a3:::::::*
	cpe:2.3:a:turbogears:turbogears2:2.1b1:::::::*

References

Link	Resource
http://groups.google.com/group/turbogears-announce/msg/09ec26696b1761bb?dmode=source&output=gplain

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-10-03T16:24:01

Updated: 2022-10-03T16:24:01

Reserved: 2022-10-03T00:00:00

Link: CVE-2009-5014

JSON object: View

NVD Information

Status : Analyzed

Published: 2010-11-06T00:00:01.220

Modified: 2010-11-09T05:00:00.000

Link: CVE-2009-5014

JSON object: View

Redhat Information

No data.

CWE

CWE-310

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:turbogears:turbogears2:*:*:*:*:*:*:*:*", "matchCriteriaId": "9BB596B6-3E2A-4961-AD67-B7E74DA85705", "versionEndIncluding": "2.1b2", "vulnerable": true}, {"criteria": "cpe:2.3:a:turbogears:turbogears2:1.9.7a2:*:*:*:*:*:*:*", "matchCriteriaId": "802FBC58-C096-4960-8AAF-C45E82AF1CF0", "vulnerable": true}, {"criteria": "cpe:2.3:a:turbogears:turbogears2:1.9.7a3:*:*:*:*:*:*:*", "matchCriteriaId": "F5ABF22A-389C-45E4-88DB-9C14B0D07DFA", "vulnerable": true}, {"criteria": "cpe:2.3:a:turbogears:turbogears2:1.9.7a4:*:*:*:*:*:*:*", "matchCriteriaId": "40144A54-DDF6-4CD2-BC53-6B801B9F2A4E", "vulnerable": true}, {"criteria": "cpe:2.3:a:turbogears:turbogears2:1.9.7b1:*:*:*:*:*:*:*", "matchCriteriaId": "E032AF6B-7A03-4DB2-9018-6A8B3EF708C0", "vulnerable": true}, {"criteria": "cpe:2.3:a:turbogears:turbogears2:1.9.7b2:*:*:*:*:*:*:*", "matchCriteriaId": "C5EBB8AF-5428-471B-BE25-90C905A8A522", "vulnerable": true}, {"criteria": "cpe:2.3:a:turbogears:turbogears2:2.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "0799228C-833A-43CC-A65B-9A727C75E644", "vulnerable": true}, {"criteria": "cpe:2.3:a:turbogears:turbogears2:2.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "782BD6DB-665A-4497-A1E9-5FE864A7EC07", "vulnerable": true}, {"criteria": "cpe:2.3:a:turbogears:turbogears2:2.0b1:*:*:*:*:*:*:*", "matchCriteriaId": "27CAAB6C-C3DB-4F1E-80DA-7E4D04B5E48C", "vulnerable": true}, {"criteria": "cpe:2.3:a:turbogears:turbogears2:2.0b2:*:*:*:*:*:*:*", "matchCriteriaId": "28A0004D-7B94-4456-818B-440D3969A5FA", "vulnerable": true}, {"criteria": "cpe:2.3:a:turbogears:turbogears2:2.0b3:*:*:*:*:*:*:*", "matchCriteriaId": "0E6F15E3-8F19-4EC3-95EA-AA0358AB6A6F", "vulnerable": true}, {"criteria": "cpe:2.3:a:turbogears:turbogears2:2.0b4:*:*:*:*:*:*:*", "matchCriteriaId": "2073CB4F-C18B-4F63-851D-38C3F0262B79", "vulnerable": true}, {"criteria": "cpe:2.3:a:turbogears:turbogears2:2.0b5:*:*:*:*:*:*:*", "matchCriteriaId": "C2D6300E-4D32-49B9-A25A-F3166D3385FA", "vulnerable": true}, {"criteria": "cpe:2.3:a:turbogears:turbogears2:2.0b6:*:*:*:*:*:*:*", "matchCriteriaId": "F6AC9CAD-D54F-4E58-B515-AEA861594480", "vulnerable": true}, {"criteria": "cpe:2.3:a:turbogears:turbogears2:2.0b7:*:*:*:*:*:*:*", "matchCriteriaId": "EB6DCDEF-590F-43B2-8550-075FEE546764", "vulnerable": true}, {"criteria": "cpe:2.3:a:turbogears:turbogears2:2.1a1:*:*:*:*:*:*:*", "matchCriteriaId": "B62D4F9E-4D8A-4F2A-9028-4C870DED0141", "vulnerable": true}, {"criteria": "cpe:2.3:a:turbogears:turbogears2:2.1a2:*:*:*:*:*:*:*", "matchCriteriaId": "E95E2E8A-C609-47E1-B614-A785547FBEE4", "vulnerable": true}, {"criteria": "cpe:2.3:a:turbogears:turbogears2:2.1a3:*:*:*:*:*:*:*", "matchCriteriaId": "5AED604B-C756-4477-897C-7A41F37A0EF5", "vulnerable": true}, {"criteria": "cpe:2.3:a:turbogears:turbogears2:2.1b1:*:*:*:*:*:*:*", "matchCriteriaId": "2576B8ED-7CAE-4028-AD0C-3B446B3E1C01", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The default quickstart configuration of TurboGears2 (aka tg2) before 2.0.2 has a weak cookie salt, which makes it easier for remote attackers to bypass repoze.who authentication via a forged authorization cookie, a related issue to CVE-2010-3852."}, {"lang": "es", "value": "La configuraci\u00f3n de inicio r\u00e1pido por defecto de TurboGears2 (o TG2) antes de su versi\u00f3n v2.0.2 tiene una cookie 'salt' d\u00e9bil, lo que hace que sea m\u00e1s f\u00e1cil para los atacantes remotos evitar la autenticaci\u00f3n de repoze.who a trav\u00e9s de una cookie falsificada. Es un problema relacionado con el CVE-2010-3852."}], "id": "CVE-2009-5014", "lastModified": "2010-11-09T05:00:00.000", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2010-11-06T00:00:01.220", "references": [{"source": "cve@mitre.org", "url": "http://groups.google.com/group/turbogears-announce/msg/09ec26696b1761bb?dmode=source&output=gplain"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-310"}], "source": "nvd@nist.gov", "type": "Primary"}]}