CVE-2023-30797 - OpenCVE

Netflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Netflix	Lemur

Configuration 1 [-]

cpe:2.3:a:netflix:lemur:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238	Patch
https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm	Vendor Advisory
https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md	Vendor Advisory
https://vulncheck.com/advisories/netflix-lemur-weak-rng	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: VulnCheck

Published: 2023-04-19T19:10:12.523Z

Updated: 2023-04-19T19:10:12.523Z

Reserved: 2023-04-18T10:31:45.962Z

Link: CVE-2023-30797

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-04-19T20:15:12.377

Modified: 2023-05-01T19:55:01.860

Link: CVE-2023-30797

JSON object: View

Redhat Information

No data.

CWE

CWE-330

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-30797", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2023-04-18T10:31:45.962Z", "datePublished": "2023-04-19T19:10:12.523Z", "dateUpdated": "2023-04-19T19:10:12.523Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://pypi.org/project/lemur/", "defaultStatus": "unaffected", "packageName": "lemur", "product": "Lemur", "repo": "https://github.com/Netflix/lemur", "vendor": "Netflix", "versions": [{"lessThan": "<1.3.2", "status": "affected", "version": "0", "versionType": "1.3.2"}]}], "datePublic": "2023-02-28T15:41:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div><br></div><div>Netflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur.<br></div>"}], "value": "\n\nNetflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur.\n\n\n"}], "impacts": [{"capecId": "CAPEC-112", "descriptions": [{"lang": "en", "value": "CAPEC-112 Brute Force"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-330", "description": "CWE-330 Use of Insufficiently Random Values", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2023-04-19T19:10:12.523Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md"}, {"tags": ["patch"], "url": "https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238"}, {"tags": ["vendor-advisory"], "url": "https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm"}, {"tags": ["third-party-advisory"], "url": "https://vulncheck.com/advisories/netflix-lemur-weak-rng"}], "source": {"discovery": "UNKNOWN"}, "title": "Insecure Random Generation in Netflix Lemur", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netflix:lemur:*:*:*:*:*:*:*:*", "matchCriteriaId": "AA02A184-ED2B-4577-BAB1-1B536179C263", "versionEndExcluding": "1.3.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "\n\nNetflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur.\n\n\n"}], "id": "CVE-2023-30797", "lastModified": "2023-05-01T19:55:01.860", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2023-04-19T20:15:12.377", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Patch"], "url": "https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238"}, {"source": "disclosure@vulncheck.com", "tags": ["Vendor Advisory"], "url": "https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm"}, {"source": "disclosure@vulncheck.com", "tags": ["Vendor Advisory"], "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://vulncheck.com/advisories/netflix-lemur-weak-rng"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-330"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-330"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}