CVE-2023-30797 is a high-severity use of insufficiently random values vulnerability in lemur (pip), affecting versions < 1.3.2. It is fixed in 1.3.2.
Overview Lemur was using insecure random generation for its example configuration file, as well as for some utilities. Impact The potentially affected generated items include: | Configuration item | Config option name (if applicable) | Documentation link (if applicable) | Rotation option | Code reference(s) | | ----------- | ----------- | ----------- | ----------- |----------- | | Flask session secret | SECRETKEY | Flask documentation | Generate a new secret and place in config; all existing sessions will be invalidated | N/A, internal to Flask | | Lemur token secret | LEMURTOKENSECRET | Lemur's configuration documentation | Generate a new secret and place in config; all existing JWTs will be invalidated and must be regenerated (including API keys) | 1, 2 | | Lemur database encryption key | LEMURENCRYPTIONKEYS | Lemur's configuration documentation | A new key can be generated and added to this list, but existing data encrypted with prior keys cannot be re-encrypted unless you write a custom re-encryption process | 1 | | OAuth2 state token secret key | OAUTHSTATETOKENSECRET | Lemur's configuration documentation | Generate a new secret and place in config | 1 | | Randomly generated passphrases for openssl keystores | N/A, generated at runtime but persisted |N/A | Re-export all openssl keystores and replace them wherever they're in use | 1 | | Initial password for LDAP users | N/A, generated at runtime but persisted | N/A | N/A, cannot be rotated | 1 | | Initial password for Ping/OAuth2 users | N/A, generated at runtime but persisted |N/A | N/A, cannot be rotated | 1 | | Oauth2 nonce | N/A, short-lived runtime secret |N/A | N/A, rotation is not required (these are short-lived) | 1 | | Verisign certificate enrollment challenges | N/A, short-lived runtime secret | N/A | N/A, rotation is not required (these are short-lived) | 1 | If your deployment of Lemur is using any of the above config secrets that were generated by Lemur's example config_ (i.e., generated using insecure randomness), you should rotate those config secrets. If you generated your config secrets in a more secure way, they are not known to be compromised, but you should still upgrade Lemur to ensure that you receive code fixes for the runtime-generated secrets. For general information and guidance on Lemur secret configuration, see Lemur's configuration documentation, which includes information on many of the configuration options listed above. *For the user passwords: Even though these users are configured to use SSO, they do get generated with valid database passwords that can be used to log in. Since Lemur doesn't have an option to change passwords (#3888), one option for rotating them would be to directly modify the value in the database to some other unguessable string (you do not need to know the plaintext password since it won't be used). Patches The patch is available in v1.3.2. Workarounds No workarounds are available. References N/A
Security-sensitive operations rely on values that are predictable or insufficiently random. Typical impact: forged tokens, guessable identifiers, or broken cryptographic protocols.
CVE-2023-30797 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (1.3.2). Upgrading removes the vulnerable code path.
pip
lemur (< 1.3.2)lemur → 1.3.2 (pip)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2023-30797 is reachable in your applications. Explore open-source security for your team.
See if CVE-2023-30797 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2023-30797 in your environment →Upgrade lemur to 1.3.2 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2023-30797 is a high-severity use of insufficiently random values vulnerability in lemur (pip), affecting versions < 1.3.2. It is fixed in 1.3.2. Security-sensitive operations rely on values that are predictable or insufficiently random.
CVE-2023-30797 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
lemur (pip) versions < 1.3.2 is affected.
Yes. CVE-2023-30797 is fixed in 1.3.2. Upgrade to this version or later.
Whether CVE-2023-30797 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade lemur to 1.3.2 or later.