VYPR
← All advisories
High severityNVD Advisory· Published Aug 9, 2019· Updated Aug 5, 2024

CVE-2019-14806

CVE-2019-14806

Description

Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Werkzeug's debugger PIN is insufficiently random in Docker due to shared machine IDs, allowing remote code execution.

Vulnerability

Werkzeug provides an interactive debugger that can be enabled in development environments. The debugger requires a PIN to prevent unauthorized access. However, prior to version 0.15.3, the PIN generation relied on the machine ID (/etc/machine-id or /proc/sys/kernel/random/boot_id) and MAC addresses. In Docker containers, all containers on the same host share the same machine ID, making the PIN predictable across containers [1][4].

Exploitation

An attacker who can trigger an error in a Werkzeug-based application (e.g., by sending a malformed request) may be presented with the debugger console. Without a properly randomized PIN, the attacker can brute-force or guess the PIN due to the reduced entropy. No authentication is required beyond knowing the shared identifier [3].

Impact

Gaining access to the debugger console allows arbitrary Python code execution on the server. This can lead to full compromise of the application and underlying host, including data theft, privilege escalation, or further lateral movement [2].

Mitigation

The vulnerability is fixed in Werkzeug version 0.15.3, which incorporates additional entropy sources (e.g., a private key-based seed) to make the PIN unique per container. Users should upgrade immediately. For containers, it is also recommended to avoid running the debugger in production [1].

References
  1. NVD - CVE-2019-14806
  2. GitHub - pallets/werkzeug: The comprehensive WSGI web application library.
  3. advisory-database/vulns/werkzeug/PYSEC-2019-140.yaml at main · pypa/advisory-database
  4. werkzeug/src/werkzeug/debug/__init__.py at 7fef41b120327d3912fbe12fb64f1951496fcf3e · pallets/werkzeug

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
werkzeugPyPI
< 0.15.30.15.3

Affected products

17

Patches

1
00bc43b1672e

unique debugger pin in Docker containers

https://github.com/pallets/werkzeugDavid LordMay 14, 2019via ghsa
commit
2 files changed · +15 0
  • CHANGES.rst+2 0 modified
    @@ -20,6 +20,8 @@ Unreleased
     (:issue:`1510`)
 -   The debugger detects cycles in chained exceptions and does not time
     out in that case. (:issue:`1536`)
+-   When running the development server in Docker, the debugger security
+    pin is now unique per container.
 
 
 Version 0.15.2
  • src/werkzeug/debug/__init__.py+13 0 modified
    @@ -67,6 +67,19 @@ def get_machine_id():
         return rv
 
     def _generate():
+        # docker containers share the same machine id, get the
+        # container id instead
+        try:
+            with open("/proc/self/cgroup") as f:
+                value = f.readline()
+        except IOError:
+            pass
+        else:
+            value = value.strip().partition("/docker/")[2]
+
+            if value:
+                return value
+
         # Potential sources of secret information on linux.  The machine-id
         # is stable across boots, the boot id is not
         for filename in "/etc/machine-id", "/proc/sys/kernel/random/boot_id":

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.