CVE-2009-5014

EUVD-2009-4972
The default quickstart configuration of TurboGears2 (aka tg2) before 2.0.2 has a weak cookie salt, which makes it easier for remote attackers to bypass repoze.who authentication via a forged authorization cookie, a related issue to CVE-2010-3852.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:P/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 53%
Affected Products (NVD)
VendorProductVersion
turbogearsturbogears2
𝑥
≤ 2.1b2
turbogearsturbogears2
1.9.7a2:a2
turbogearsturbogears2
1.9.7a3:a3
turbogearsturbogears2
1.9.7a4:a4
turbogearsturbogears2
1.9.7b1:b1
turbogearsturbogears2
1.9.7b2:b2
turbogearsturbogears2
2.0:rc1
turbogearsturbogears2
2.0.1
turbogearsturbogears2
2.0b1:b1
turbogearsturbogears2
2.0b2:b2
turbogearsturbogears2
2.0b3:b3
turbogearsturbogears2
2.0b4:b4
turbogearsturbogears2
2.0b5:b5
turbogearsturbogears2
2.0b6:b6
turbogearsturbogears2
2.0b7:b7
turbogearsturbogears2
2.1a1:a1
turbogearsturbogears2
2.1a2:a2
turbogearsturbogears2
2.1a3:a3
turbogearsturbogears2
2.1b1:b1
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
turbogears2
dapper
dne
hardy
dne
karmic
not-affected
lucid
not-affected
maverick
not-affected
Common Weakness Enumeration
References
http://groups.google.com/group/turbogears-announce/msg/09ec26696b1761bb?dmode=source&output=gplain
http://groups.google.com/group/turbogears-announce/msg/09ec26696b1761bb?dmode=source&output=gplain