CVE-2009-5014

The default quickstart configuration of TurboGears2 (aka tg2) before 2.0.2 has a weak cookie salt, which makes it easier for remote attackers to bypass repoze.who authentication via a forged authorization cookie, a related issue to CVE-2010-3852.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:P/A:P
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 53%
VendorProductVersion
turbogearsturbogears2
𝑥
≤ 2.1b2
turbogearsturbogears2
1.9.7a2:a2
turbogearsturbogears2
1.9.7a3:a3
turbogearsturbogears2
1.9.7a4:a4
turbogearsturbogears2
1.9.7b1:b1
turbogearsturbogears2
1.9.7b2:b2
turbogearsturbogears2
2.0:rc1
turbogearsturbogears2
2.0.1
turbogearsturbogears2
2.0b1:b1
turbogearsturbogears2
2.0b2:b2
turbogearsturbogears2
2.0b3:b3
turbogearsturbogears2
2.0b4:b4
turbogearsturbogears2
2.0b5:b5
turbogearsturbogears2
2.0b6:b6
turbogearsturbogears2
2.0b7:b7
turbogearsturbogears2
2.1a1:a1
turbogearsturbogears2
2.1a2:a2
turbogearsturbogears2
2.1a3:a3
turbogearsturbogears2
2.1b1:b1
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
turbogears2
maverick
not-affected
lucid
not-affected
karmic
not-affected
hardy
dne
dapper
dne
Common Weakness Enumeration
References
http://groups.google.com/group/turbogears-announce/msg/09ec26696b1761bb?dmode=source&output=gplain
http://groups.google.com/group/turbogears-announce/msg/09ec26696b1761bb?dmode=source&output=gplain