PyPI package
lemur
pkg:pypi/lemur
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-44305 | Med | 6.8 | < 1.9.0 | 1.9.0 | May 12, 2026 | Lemur manages TLS certificate creation. Prior to 1.9.0, when LDAP TLS is enabled (LDAP_USE_TLS = True), Lemur's LDAP authentication module unconditionally disables TLS certificate verification at the global ldap module level. This allows a man-in-the-middle attacker positioned be | |
| CVE-2026-44304 | Hig | 8.1 | < 1.9.0 | 1.9.0 | May 12, 2026 | Lemur manages TLS certificate creation. Prior to 1.9.0, Lemur's LDAP authentication module (lemur/auth/ldap.py) constructs LDAP search filters using unsanitized user input via Python string interpolation. An authenticated LDAP user can inject LDAP filter metacharacters through th | |
| CVE-2023-30797 | — | < 1.3.2 | 1.3.2 | Apr 19, 2023 | Netflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur. | ||
| CVE-2015-7764 | Hig | 7.5 | < 0.1.5 | 0.1.5 | Aug 9, 2017 | Lemur 0.1.4 does not use sufficient entropy in its IV when encrypting AES in CBC mode. |
- affected < 1.9.0fixed 1.9.0
Lemur manages TLS certificate creation. Prior to 1.9.0, when LDAP TLS is enabled (LDAP_USE_TLS = True), Lemur's LDAP authentication module unconditionally disables TLS certificate verification at the global ldap module level. This allows a man-in-the-middle attacker positioned be
- affected < 1.9.0fixed 1.9.0
Lemur manages TLS certificate creation. Prior to 1.9.0, Lemur's LDAP authentication module (lemur/auth/ldap.py) constructs LDAP search filters using unsanitized user input via Python string interpolation. An authenticated LDAP user can inject LDAP filter metacharacters through th
- CVE-2023-30797Apr 19, 2023affected < 1.3.2fixed 1.3.2
Netflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur.
- affected < 0.1.5fixed 0.1.5
Lemur 0.1.4 does not use sufficient entropy in its IV when encrypting AES in CBC mode.