CVE-2015-7764: Lemur uses static IV per key
(updated )
Lemur 0.1.4 does not use sufficient entropy in its IV when encrypting AES in CBC mode.
References
- github.com/Netflix/lemur
- github.com/Netflix/lemur/commit/394e18f76e5eb534d95160945ebc231ec3b4c794
- github.com/Netflix/lemur/issues/117
- github.com/advisories/GHSA-chg9-3c3p-ch23
- github.com/kvesteri/sqlalchemy-utils/issues/166
- github.com/pypa/advisory-database/tree/main/vulns/lemur/PYSEC-2017-50.yaml
- nvd.nist.gov/vuln/detail/CVE-2015-7764
Detect and mitigate CVE-2015-7764 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →