A vulnerability was found in Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id. Reference: https://github.com/pallets/werkzeug/commit/00bc43b1672e662e5e3b8cecd79e67fc968fa246 https://github.com/pallets/werkzeug/blob/7fef41b120327d3912fbe12fb64f1951496fcf3e/src/werkzeug/debug/__init__.py#L168 https://palletsprojects.com/blog/werkzeug-0-15-3-released/
Created python-werkzeug tracking bugs for this issue: Affects: epel-6 [bug 1771362] Affects: fedora-all [bug 1771361]
Created python-werkzeug tracking bugs for this issue: Affects: openstack-rdo [bug 1771832]
External References: https://palletsprojects.com/blog/werkzeug-0-15-3-released/
Statement: While Red Hat Quay contains a vulnerable version of python-werkzeug in the quay container image, use of the debug feature is not recommended in any upstream or downstream documentation. A user of Red Hat Quay would have to enable python-werkzeug debugging before Red Hat Quay became vulnerable. This issue did not affect the versions of python-werkzeug as shipped with Red Hat Update Infrastructure as they did not include support for PIN based authentication. The same is true for the versions of python-werkzeug as shipped with Red Hat Enterprise Linux 8. Red Hat Satellite ships vulnerable python-werkzeug, however, it is not affected because it uses python-werkzeug as a dependency of python-flask required by Crane component and therefore package does not get invoked directly.