Detections
Analytics
Pyramid Weak Secret Key
high Web App Scanning Plugin ID 114437
Language:
Synopsis
Pyramid Weak Secret KeyDescription
Pyramid applications use an application key to encrypt and sign various data, including session cookies and other sensitive information. This key is typically stored in an environment variable and is used for multiple security-critical operations.When a weak or easily guessable application key is used, it compromises the security of the entire application. Attackers can potentially decrypt sensitive data, forge valid session cookies, or even execute remote code in some scenarios.
Solution
The secret key used to sign the cookies in the application must be stronger (long and random) to prevent it from being retrieved with a bruteforce attack.See Also
https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
https://docs.pylonsproject.org/projects/pyramid/en/latest/api/authentication.html
Plugin Details
Severity: High
ID: 114437
Type: remote
Family: Web Applications
Published: 9/24/2024
Updated: 9/24/2024
Scan Template: api, basic, full, pci, scan
Risk Information
VPR
Risk Factor: Medium
Score: 4.3
CVSS v2
Risk Factor: High
Base Score: 7.8
Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N
CVSS Score Source: Tenable
CVSS v3
Risk Factor: High
Base Score: 7.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS Score Source: Tenable