Critical vulnerabilities discovered in Lemur #3463
Assignees
Labels
security
Pull requests that address a security vulnerability
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Dear Lemur community,
During a commissioned pentest of Lemur version 0.8.0 (a Netflix OSS project, available here), three vulnerabilities were identified in Lemur’s codebase. At a high level, the vulnerabilities enable an authenticated user to retrieve/access unauthorized information, including private keys.
Presently, we have no reason to believe that these vulnerabilities have been exploited. Evidence of access to sensitive information would be visible in HTTP request logs.
We have already prepared the patches to fix these vulnerabilities, and will be raising PRs to Lemur’s GitHub repository one week from today. On the same day, we will release a new version of Lemur (0.9.0) which will contain the patches. We recommend that all Lemur users upgrade immediately after version 0.9.0 has been released. We may disclose additional details regarding the vulnerabilities following the updated release of Lemur.
Thanks,
Lemur Team
The text was updated successfully, but these errors were encountered: