Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-pj89-r99c-cbau
Vulnerability ID VCID-pj89-r99c-cbau
Aliases CVE-2023-30797
GHSA-5fqv-mpj8-h7gm
GMS-2023-540
PYSEC-2023-20
Summary Netflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur.
Status Published
Exploitability 0.5
Weighted Severity 0.0
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-330 Use of Insufficiently Random Values
System Score Found at
epss 0.00339 https://api.first.org/data/v1/epss?cve=CVE-2023-30797
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-5fqv-mpj8-h7gm
cvssv3.1 7.5 https://github.com/Netflix/lemur
cvssv4 8.7 https://github.com/Netflix/lemur
generic_textual HIGH https://github.com/Netflix/lemur
cvssv3.1 7.5 https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238
cvssv4 8.7 https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238
generic_textual HIGH https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238
ssvc Track https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238
cvssv3.1 7.5 https://github.com/Netflix/lemur/issues/3888
cvssv4 8.7 https://github.com/Netflix/lemur/issues/3888
generic_textual HIGH https://github.com/Netflix/lemur/issues/3888
cvssv3.1 7.5 https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm
cvssv3.1_qr HIGH https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm
cvssv4 8.7 https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm
generic_textual HIGH https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm
ssvc Track https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm
cvssv3.1 7.5 https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md
cvssv4 8.7 https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md
generic_textual HIGH https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md
ssvc Track https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md
cvssv3.1 7.5 https://github.com/pypa/advisory-database/tree/main/vulns/lemur/PYSEC-2023-20.yaml
cvssv4 8.7 https://github.com/pypa/advisory-database/tree/main/vulns/lemur/PYSEC-2023-20.yaml
generic_textual HIGH https://github.com/pypa/advisory-database/tree/main/vulns/lemur/PYSEC-2023-20.yaml
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2023-30797
cvssv4 8.7 https://nvd.nist.gov/vuln/detail/CVE-2023-30797
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2023-30797
cvssv3.1 7.5 https://vulncheck.com/advisories/netflix-lemur-weak-rng
cvssv4 8.7 https://vulncheck.com/advisories/netflix-lemur-weak-rng
generic_textual HIGH https://vulncheck.com/advisories/netflix-lemur-weak-rng
ssvc Track https://vulncheck.com/advisories/netflix-lemur-weak-rng
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2023-30797
https://github.com/Netflix/lemur
https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238
https://github.com/Netflix/lemur/issues/3888
https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm
https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md
https://github.com/pypa/advisory-database/tree/main/vulns/lemur/PYSEC-2023-20.yaml
https://vulncheck.com/advisories/netflix-lemur-weak-rng
CVE-2023-30797 https://nvd.nist.gov/vuln/detail/CVE-2023-30797
GHSA-5fqv-mpj8-h7gm https://github.com/advisories/GHSA-5fqv-mpj8-h7gm
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/Netflix/lemur
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/Netflix/lemur
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-05T14:49:23Z/ Found at https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/Netflix/lemur/issues/3888
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/Netflix/lemur/issues/3888
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-05T14:49:23Z/ Found at https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-05T14:49:23Z/ Found at https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/pypa/advisory-database/tree/main/vulns/lemur/PYSEC-2023-20.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/pypa/advisory-database/tree/main/vulns/lemur/PYSEC-2023-20.yaml
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-30797
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-30797
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://vulncheck.com/advisories/netflix-lemur-weak-rng
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://vulncheck.com/advisories/netflix-lemur-weak-rng
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-05T14:49:23Z/ Found at https://vulncheck.com/advisories/netflix-lemur-weak-rng
Exploit Prediction Scoring System (EPSS)
Percentile 0.56907
EPSS Score 0.00339
Published At May 30, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-30T20:31:39.842698+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/lemur/PYSEC-2023-20.yaml 38.6.0