CVE-2023-30797 - OpenCVE

Netflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Netflix	Lemur

Configuration 1 [-]

cpe:2.3:a:netflix:lemur:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238
https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm
https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md
https://vulncheck.com/advisories/netflix-lemur-weak-rng

History

No history.

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2023-04-19T19:10:12.523Z

Updated: 2024-08-02T14:37:15.447Z

Reserved: 2023-04-18T10:31:45.962Z

Link: CVE-2023-30797

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-04-19T20:15:12.377

Modified: 2023-05-01T19:55:01.860

Link: CVE-2023-30797

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-30797", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2023-04-18T10:31:45.962Z", "datePublished": "2023-04-19T19:10:12.523Z", "dateUpdated": "2024-08-02T14:37:15.447Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://pypi.org/project/lemur/", "defaultStatus": "unaffected", "packageName": "lemur", "product": "Lemur", "repo": "https://github.com/Netflix/lemur", "vendor": "Netflix", "versions": [{"lessThan": "<1.3.2", "status": "affected", "version": "0", "versionType": "1.3.2"}]}], "datePublic": "2023-02-28T15:41:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div><br></div><div>Netflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur.<br></div>"}], "value": "\n\nNetflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur.\n\n\n"}], "impacts": [{"capecId": "CAPEC-112", "descriptions": [{"lang": "en", "value": "CAPEC-112 Brute Force"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-330", "description": "CWE-330 Use of Insufficiently Random Values", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2023-04-19T19:10:12.523Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md"}, {"tags": ["patch"], "url": "https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238"}, {"tags": ["vendor-advisory"], "url": "https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm"}, {"tags": ["third-party-advisory"], "url": "https://vulncheck.com/advisories/netflix-lemur-weak-rng"}], "source": {"discovery": "UNKNOWN"}, "title": "Insecure Random Generation in Netflix Lemur", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:37:15.447Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md"}, {"tags": ["patch", "x_transferred"], "url": "https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238"}, {"tags": ["vendor-advisory", "x_transferred"], "url": "https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm"}, {"tags": ["third-party-advisory", "x_transferred"], "url": "https://vulncheck.com/advisories/netflix-lemur-weak-rng"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netflix:lemur:*:*:*:*:*:*:*:*", "matchCriteriaId": "AA02A184-ED2B-4577-BAB1-1B536179C263", "versionEndExcluding": "1.3.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "\n\nNetflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur.\n\n\n"}], "id": "CVE-2023-30797", "lastModified": "2023-05-01T19:55:01.860", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2023-04-19T20:15:12.377", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Patch"], "url": "https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238"}, {"source": "disclosure@vulncheck.com", "tags": ["Vendor Advisory"], "url": "https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm"}, {"source": "disclosure@vulncheck.com", "tags": ["Vendor Advisory"], "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://vulncheck.com/advisories/netflix-lemur-weak-rng"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-330"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-330"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}