Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🐍 PyPI

GHSA-5fqv-mpj8-h7gm

HIGH

Lemur subject to insecure random generation

Also known asCVE-2023-30797PYSEC-2023-20
Published
Mar 1, 2023
Updated
Mar 16, 2026
Affected
1 pkg
Patched
1 / 1
Exploits
None indexed

EPSS Exploitation Probability

via FIRST.org ↗
0.8%probability of exploitation in next 30 days
Lower Risk51th percentile+0.45%
0.00%0.43%0.86%1.28%0.2%0.8%Dec 25Apr 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected
🐍lemur

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects PyPI packages — download data is not available via public APIs for these ecosystems.

Description

Overview

Lemur was using insecure random generation for its example configuration file, as well as for some utilities.

Impact

The potentially affected generated items include:

Configuration itemConfig option name (if applicable)Documentation link (if applicable)Rotation optionCode reference(s)
Flask session secretSECRET_KEYFlask documentationGenerate a new secret and place in config; all existing sessions will be invalidatedN/A, internal to Flask
Lemur token secretLEMUR_TOKEN_SECRETLemur's configuration documentationGenerate a new secret and place in config; all existing JWTs will be invalidated and must be regenerated (including API keys)1, 2
Lemur database encryption keyLEMUR_ENCRYPTION_KEYSLemur's configuration documentationA new key can be generated and added to this list, but existing data encrypted with prior keys cannot be re-encrypted unless you write a custom re-encryption process1
OAuth2 state token secret keyOAUTH_STATE_TOKEN_SECRETLemur's configuration documentationGenerate a new secret and place in config1
Randomly generated passphrases for openssl keystoresN/A, generated at runtime but persistedN/ARe-export all openssl keystores and replace them wherever they're in use1
Initial password for LDAP usersN/A, generated at runtime but persistedN/AN/A, cannot be rotated*1
Initial password for Ping/OAuth2 usersN/A, generated at runtime but persistedN/AN/A, cannot be rotated*1
Oauth2 nonceN/A, short-lived runtime secretN/AN/A, rotation is not required (these are short-lived)1
Verisign certificate enrollment challengesN/A, short-lived runtime secretN/AN/A, rotation is not required (these are short-lived)1

If your deployment of Lemur is using any of the above config secrets that were generated by Lemur's example config (i.e., generated using insecure randomness), you should rotate those config secrets. If you generated your config secrets in a more secure way, they are not known to be compromised, but you should still upgrade Lemur to ensure that you receive code fixes for the runtime-generated secrets.

For general information and guidance on Lemur secret configuration, see Lemur's configuration documentation, which includes information on many of the configuration options listed above.

*For the user passwords: Even though these users are configured to use SSO, they do get generated with valid database passwords that can be used to log in. Since Lemur doesn't have an option to change passwords (#3888), one option for rotating them would be to directly modify the value in the database to some other unguessable string (you do not need to know the plaintext password since it won't be used).

Patches

The patch is available in v1.3.2.

Workarounds

No workarounds are available.

References

N/A

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
🐍PyPIlemurall versions1.3.2

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for lemur. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update lemur to 1.3.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-5fqv-mpj8-h7gm is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-5fqv-mpj8-h7gm is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-5fqv-mpj8-h7gm. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Overview Lemur was using insecure random generation for its example configuration file, as well as for some utilities. ### Impact The potentially affected generated items include: | Configuration item | Config option name (if applicable) | Documentation link (if applicable) | Rotation option | Code reference(s) | | ----------- | ----------- | ----------- | ----------- |----------- | | Flask session secret | `SECRET_KEY` | [Flask documentation](https://flask.palletsprojects.com/en/2.2.x/config/#SECRET_KEY) | Generate a new secret and place in config; all existing sessions
O3 Security · Impact-Aware SCA

Is GHSA-5fqv-mpj8-h7gm in your dependencies?

O3 detects GHSA-5fqv-mpj8-h7gm across PyPI dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works