Insufficient Entropy Affecting python-werkzeug package, versions <0.15.6+dfsg1-1
Threat Intelligence
EPSS
0.32% (71st
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN11-PYTHONWERKZEUG-523482
- published 10 Aug 2019
- disclosed 9 Aug 2019
Introduced: 9 Aug 2019
CVE-2019-14806 Open this link in a new tabHow to fix?
Upgrade Debian:11 python-werkzeug to version 0.15.6+dfsg1-1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream python-werkzeug package and not the python-werkzeug package as distributed by Debian.
See How to fix? for Debian:11 relevant fixed versions and status.
Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id.
References
- https://security-tracker.debian.org/tracker/CVE-2019-14806
- https://github.com/pallets/werkzeug/commit/00bc43b1672e662e5e3b8cecd79e67fc968fa246
- https://github.com/pallets/werkzeug/blob/7fef41b120327d3912fbe12fb64f1951496fcf3e/src/werkzeug/debug/init.py#L168
- https://palletsprojects.com/blog/werkzeug-0-15-3-released/
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00034.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00047.html
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-14806
CVSS Scores
version 3.1