CVE-2009-5014 - Vulnerability Details - OpenCVE

The default quickstart configuration of TurboGears2 (aka tg2) before 2.0.2 has a weak cookie salt, which makes it easier for remote attackers to bypass repoze.who authentication via a forged authorization cookie, a related issue to CVE-2010-3852.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00304.

Key SSVC decision points have not yet been added.

Vendors	Products
Turbogears	Turbogears2

Configuration 1 [-]

OR	cpe:2.3:a:turbogears:turbogears2::::::::
	cpe:2.3:a:turbogears:turbogears2:1.9.7a2:::::::*
	cpe:2.3:a:turbogears:turbogears2:1.9.7a3:::::::*
	cpe:2.3:a:turbogears:turbogears2:1.9.7a4:::::::*
	cpe:2.3:a:turbogears:turbogears2:1.9.7b1:::::::*
	cpe:2.3:a:turbogears:turbogears2:1.9.7b2:::::::*
	cpe:2.3:a:turbogears:turbogears2:2.0:rc1::::::
	cpe:2.3:a:turbogears:turbogears2:2.0.1:::::::*
	cpe:2.3:a:turbogears:turbogears2:2.0b1:::::::*
	cpe:2.3:a:turbogears:turbogears2:2.0b2:::::::*
	cpe:2.3:a:turbogears:turbogears2:2.0b3:::::::*
	cpe:2.3:a:turbogears:turbogears2:2.0b4:::::::*
	cpe:2.3:a:turbogears:turbogears2:2.0b5:::::::*
	cpe:2.3:a:turbogears:turbogears2:2.0b6:::::::*
	cpe:2.3:a:turbogears:turbogears2:2.0b7:::::::*
	cpe:2.3:a:turbogears:turbogears2:2.1a1:::::::*
	cpe:2.3:a:turbogears:turbogears2:2.1a2:::::::*
	cpe:2.3:a:turbogears:turbogears2:2.1a3:::::::*
	cpe:2.3:a:turbogears:turbogears2:2.1b1:::::::*

No data.

No data.

References

Link	Providers
http://groups.google.com/group/turbogears-announce/msg/09ec26696b1761bb?dmode=source&output=gplain

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2010-11-05T22:00:00.000Z

Updated: 2024-09-16T22:25:19.860Z

Reserved: 2010-11-05T00:00:00.000Z

Link: CVE-2009-5014

Vulnrichment

No data.

NVD

Status : Modified

Published: 2010-11-06T00:00:01.220

Modified: 2026-04-29T01:13:23.040

Link: CVE-2009-5014

Redhat

No data.

OpenCVE Enrichment

No data.

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:turbogears:turbogears2:*:*:*:*:*:*:*:*", "matchCriteriaId": "9BB596B6-3E2A-4961-AD67-B7E74DA85705", "versionEndIncluding": "2.1b2", "vulnerable": true}, {"criteria": "cpe:2.3:a:turbogears:turbogears2:1.9.7a2:*:*:*:*:*:*:*", "matchCriteriaId": "802FBC58-C096-4960-8AAF-C45E82AF1CF0", "vulnerable": true}, {"criteria": "cpe:2.3:a:turbogears:turbogears2:1.9.7a3:*:*:*:*:*:*:*", "matchCriteriaId": "F5ABF22A-389C-45E4-88DB-9C14B0D07DFA", "vulnerable": true}, {"criteria": "cpe:2.3:a:turbogears:turbogears2:1.9.7a4:*:*:*:*:*:*:*", "matchCriteriaId": "40144A54-DDF6-4CD2-BC53-6B801B9F2A4E", "vulnerable": true}, {"criteria": "cpe:2.3:a:turbogears:turbogears2:1.9.7b1:*:*:*:*:*:*:*", "matchCriteriaId": "E032AF6B-7A03-4DB2-9018-6A8B3EF708C0", "vulnerable": true}, {"criteria": "cpe:2.3:a:turbogears:turbogears2:1.9.7b2:*:*:*:*:*:*:*", "matchCriteriaId": "C5EBB8AF-5428-471B-BE25-90C905A8A522", "vulnerable": true}, {"criteria": "cpe:2.3:a:turbogears:turbogears2:2.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "0799228C-833A-43CC-A65B-9A727C75E644", "vulnerable": true}, {"criteria": "cpe:2.3:a:turbogears:turbogears2:2.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "782BD6DB-665A-4497-A1E9-5FE864A7EC07", "vulnerable": true}, {"criteria": "cpe:2.3:a:turbogears:turbogears2:2.0b1:*:*:*:*:*:*:*", "matchCriteriaId": "27CAAB6C-C3DB-4F1E-80DA-7E4D04B5E48C", "vulnerable": true}, {"criteria": "cpe:2.3:a:turbogears:turbogears2:2.0b2:*:*:*:*:*:*:*", "matchCriteriaId": "28A0004D-7B94-4456-818B-440D3969A5FA", "vulnerable": true}, {"criteria": "cpe:2.3:a:turbogears:turbogears2:2.0b3:*:*:*:*:*:*:*", "matchCriteriaId": "0E6F15E3-8F19-4EC3-95EA-AA0358AB6A6F", "vulnerable": true}, {"criteria": "cpe:2.3:a:turbogears:turbogears2:2.0b4:*:*:*:*:*:*:*", "matchCriteriaId": "2073CB4F-C18B-4F63-851D-38C3F0262B79", "vulnerable": true}, {"criteria": "cpe:2.3:a:turbogears:turbogears2:2.0b5:*:*:*:*:*:*:*", "matchCriteriaId": "C2D6300E-4D32-49B9-A25A-F3166D3385FA", "vulnerable": true}, {"criteria": "cpe:2.3:a:turbogears:turbogears2:2.0b6:*:*:*:*:*:*:*", "matchCriteriaId": "F6AC9CAD-D54F-4E58-B515-AEA861594480", "vulnerable": true}, {"criteria": "cpe:2.3:a:turbogears:turbogears2:2.0b7:*:*:*:*:*:*:*", "matchCriteriaId": "EB6DCDEF-590F-43B2-8550-075FEE546764", "vulnerable": true}, {"criteria": "cpe:2.3:a:turbogears:turbogears2:2.1a1:*:*:*:*:*:*:*", "matchCriteriaId": "B62D4F9E-4D8A-4F2A-9028-4C870DED0141", "vulnerable": true}, {"criteria": "cpe:2.3:a:turbogears:turbogears2:2.1a2:*:*:*:*:*:*:*", "matchCriteriaId": "E95E2E8A-C609-47E1-B614-A785547FBEE4", "vulnerable": true}, {"criteria": "cpe:2.3:a:turbogears:turbogears2:2.1a3:*:*:*:*:*:*:*", "matchCriteriaId": "5AED604B-C756-4477-897C-7A41F37A0EF5", "vulnerable": true}, {"criteria": "cpe:2.3:a:turbogears:turbogears2:2.1b1:*:*:*:*:*:*:*", "matchCriteriaId": "2576B8ED-7CAE-4028-AD0C-3B446B3E1C01", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The default quickstart configuration of TurboGears2 (aka tg2) before 2.0.2 has a weak cookie salt, which makes it easier for remote attackers to bypass repoze.who authentication via a forged authorization cookie, a related issue to CVE-2010-3852."}, {"lang": "es", "value": "La configuraci\u00f3n de inicio r\u00e1pido por defecto de TurboGears2 (o TG2) antes de su versi\u00f3n v2.0.2 tiene una cookie 'salt' d\u00e9bil, lo que hace que sea m\u00e1s f\u00e1cil para los atacantes remotos evitar la autenticaci\u00f3n de repoze.who a trav\u00e9s de una cookie falsificada. Es un problema relacionado con el CVE-2010-3852."}], "id": "CVE-2009-5014", "lastModified": "2026-04-29T01:13:23.040", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2010-11-06T00:00:01.220", "references": [{"source": "cve@mitre.org", "url": "http://groups.google.com/group/turbogears-announce/msg/09ec26696b1761bb?dmode=source&output=gplain"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://groups.google.com/group/turbogears-announce/msg/09ec26696b1761bb?dmode=source&output=gplain"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-310"}], "source": "nvd@nist.gov", "type": "Primary"}]}