MidnightBSD

Advisories for turbogears

CVE-2009-5014 HIGH

The default quickstart configuration of TurboGears2 (aka tg2) before 2.0.2 has a weak cookie salt, which makes it easier for remote attackers to bypass repoze.who authentication via a forged authorization cookie, a related issue to CVE-2010-3852.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-310,

Products Affected

Vendor Product Version
turbogears turbogears2 2.0
turbogears turbogears2 1.9.7a2
turbogears turbogears2 2.0b3
turbogears turbogears2 *
turbogears turbogears2 1.9.7b2
turbogears turbogears2 2.1b1
turbogears turbogears2 2.0b2
turbogears turbogears2 1.9.7b1
turbogears turbogears2 2.0b6
turbogears turbogears2 2.1a2
turbogears turbogears2 2.0b1
turbogears turbogears2 1.9.7a4
turbogears turbogears2 2.0.1
turbogears turbogears2 2.0b5
turbogears turbogears2 2.1a3
turbogears turbogears2 2.0b4
turbogears turbogears2 2.1a1
turbogears turbogears2 1.9.7a3
turbogears turbogears2 2.0b7
CVE-2009-5015 HIGH

The URL dispatch mechanism in TurboGears2 (aka tg2) before 2.0.2 exposes controller methods even when an @expose decoration is not used, which has unspecified impact and attack vectors.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
turbogears turbogears2 2.0
turbogears turbogears2 1.9.7a2
turbogears turbogears2 2.0b3
turbogears turbogears2 *
turbogears turbogears2 1.9.7b2
turbogears turbogears2 2.1b1
turbogears turbogears2 2.0b2
turbogears turbogears2 1.9.7b1
turbogears turbogears2 2.0b6
turbogears turbogears2 2.1a2
turbogears turbogears2 2.0b1
turbogears turbogears2 1.9.7a4
turbogears turbogears2 2.0.1
turbogears turbogears2 2.0b5
turbogears turbogears2 2.1a3
turbogears turbogears2 2.0b4
turbogears turbogears2 2.1a1
turbogears turbogears2 1.9.7a3
turbogears turbogears2 2.0b7