Vulnerability Details : CVE-2019-14806
Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id.
Products affected by CVE-2019-14806
- cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
- cpe:2.3:a:palletsprojects:werkzeug:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-14806
0.22%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 45 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-14806
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2019-14806
-
The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-14806
-
https://github.com/pallets/werkzeug/commit/00bc43b1672e662e5e3b8cecd79e67fc968fa246
unique debugger pin in Docker containers · pallets/werkzeug@00bc43b · GitHubPatch
-
https://github.com/pallets/werkzeug/blob/7fef41b120327d3912fbe12fb64f1951496fcf3e/src/werkzeug/debug/__init__.py#L168
werkzeug/__init__.py at 7fef41b120327d3912fbe12fb64f1951496fcf3e · pallets/werkzeug · GitHubProduct
-
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00047.html
[security-announce] openSUSE-SU-2019:2145-1: moderate: Security update fMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00034.html
[security-announce] openSUSE-SU-2019:2118-1: moderate: Security update fMailing List;Third Party Advisory
-
https://palletsprojects.com/blog/werkzeug-0-15-3-released/
Werkzeug 0.15.3 Released | The Pallets ProjectsRelease Notes
Jump to