VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 6, 2010· Updated Apr 29, 2026

CVE-2009-5014

CVE-2009-5014

Description

The default quickstart configuration of TurboGears2 (aka tg2) before 2.0.2 has a weak cookie salt, which makes it easier for remote attackers to bypass repoze.who authentication via a forged authorization cookie, a related issue to CVE-2010-3852.

Affected products

19
  • Turbogears/Turbogears219 versions
    cpe:2.3:a:turbogears:turbogears2:*:*:*:*:*:*:*:*+ 18 more
    • cpe:2.3:a:turbogears:turbogears2:*:*:*:*:*:*:*:*range: <=2.1b2
    • cpe:2.3:a:turbogears:turbogears2:1.9.7a2:*:*:*:*:*:*:*
    • cpe:2.3:a:turbogears:turbogears2:1.9.7a3:*:*:*:*:*:*:*
    • cpe:2.3:a:turbogears:turbogears2:1.9.7a4:*:*:*:*:*:*:*
    • cpe:2.3:a:turbogears:turbogears2:1.9.7b1:*:*:*:*:*:*:*
    • cpe:2.3:a:turbogears:turbogears2:1.9.7b2:*:*:*:*:*:*:*
    • cpe:2.3:a:turbogears:turbogears2:2.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:turbogears:turbogears2:2.0b1:*:*:*:*:*:*:*
    • cpe:2.3:a:turbogears:turbogears2:2.0b2:*:*:*:*:*:*:*
    • cpe:2.3:a:turbogears:turbogears2:2.0b3:*:*:*:*:*:*:*
    • cpe:2.3:a:turbogears:turbogears2:2.0b4:*:*:*:*:*:*:*
    • cpe:2.3:a:turbogears:turbogears2:2.0b5:*:*:*:*:*:*:*
    • cpe:2.3:a:turbogears:turbogears2:2.0b6:*:*:*:*:*:*:*
    • cpe:2.3:a:turbogears:turbogears2:2.0b7:*:*:*:*:*:*:*
    • cpe:2.3:a:turbogears:turbogears2:2.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:turbogears:turbogears2:2.1a1:*:*:*:*:*:*:*
    • cpe:2.3:a:turbogears:turbogears2:2.1a2:*:*:*:*:*:*:*
    • cpe:2.3:a:turbogears:turbogears2:2.1a3:*:*:*:*:*:*:*
    • cpe:2.3:a:turbogears:turbogears2:2.1b1:*:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.