CVE-2023-30797: 
Python vulnerability analysis and mitigation

Netflix Lemur before version 1.3.2 contained a security vulnerability related to the use of insufficiently random values when generating default credentials and various security-sensitive configurations. The vulnerability was discovered by kjsman (Jinseo Kim) and was assigned CVE-2023-30797. The issue was publicly disclosed on February 28, 2023, and was patched in version 1.3.2 (Netflix Advisory, GitHub Advisory).

The vulnerability is classified as CWE-330 (Use of Insufficiently Random Values) and received a CVSS v3.1 score of 7.5 (HIGH) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The issue stemmed from the use of insecure random generation in both example configuration files and utility functions, affecting multiple security-sensitive components including Flask session secrets, token secrets, database encryption keys, and various runtime-generated credentials (VulnCheck Advisory, Netflix Advisory).

The vulnerability affected several critical security components including Flask session secrets (SECRET_KEY), Lemur token secrets (LEMUR_TOKEN_SECRET), database encryption keys (LEMUR_ENCRYPTION_KEYS), OAuth2 state token secrets, randomly generated passphrases for OpenSSL keystores, initial passwords for LDAP and Ping/OAuth2 users, OAuth2 nonces, and Verisign certificate enrollment challenges. The insufficient randomness in these components could potentially allow attackers to predict or guess the generated values (GitHub Advisory).

The vulnerability was patched in Lemur version 1.3.2. Users should upgrade to this version or later. For deployments using config secrets generated by Lemur's example config, these secrets should be rotated. While no direct workarounds are available, users who generated their config secrets in a more secure way are not known to be compromised but should still upgrade to ensure they receive fixes for runtime-generated secrets (Netflix Advisory).