It was discovered that web2py does not properly check denied hosts before verifying passwords. An attacker could possibly use this issue to perform brute-force attacks. (CVE-2016-10321)
It was discovered that web2py allows remote attackers to obtain environment variable values. An attacker could possibly use this issue to gain administrative access. (CVE-2016-3952)
It was discovered that web2py uses a hardcoded encryption key. An attacker could possibly use this issue to execute arbitrary code. (CVE-2016-3953, CVE-2016-3954, CVE-2016-3957)
{ "availability": "No subscription required", "binaries": [ { "binary_version": "2.12.3-1ubuntu0.1", "binary_name": "python-gluon" }, { "binary_version": "2.12.3-1ubuntu0.1", "binary_name": "python-web2py" } ] }
{ "cves_map": { "cves": [ { "id": "CVE-2016-3952", "severity": [ { "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "type": "CVSS_V3" }, { "score": "medium", "type": "Ubuntu" } ] }, { "id": "CVE-2016-3953", "severity": [ { "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "type": "CVSS_V3" }, { "score": "low", "type": "Ubuntu" } ] }, { "id": "CVE-2016-3954", "severity": [ { "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "type": "CVSS_V3" }, { "score": "low", "type": "Ubuntu" } ] }, { "id": "CVE-2016-3957", "severity": [ { "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "type": "CVSS_V3" }, { "score": "medium", "type": "Ubuntu" } ] }, { "id": "CVE-2016-10321", "severity": [ { "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "type": "CVSS_V3" }, { "score": "medium", "type": "Ubuntu" } ] } ], "ecosystem": "Ubuntu:16.04:LTS" } }