lemur

PyPI4 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting lemurpage 1 of 1

CVE-2015-7764HIGHCVSS 7.5EG 7.5✓ Fixed in 0.2.1
2017-08-09
Lemur 0.1.4 does not use sufficient entropy in its IV when encrypting AES in CBC mode.
CVE-2023-30797HIGHCVSS 7.5EG 7.5✓ Fixed in 1.3.2
2023-04-19
vulnerable: 0.11.0 ... 1.3.1 (9 versions)
Netflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur.
CVE-2026-44304HIGHCVSS 8.1EG 8.1✓ Fixed in 1.9.0
2026-05-12
vulnerable: 0.11.0 ... 1.8.2 (17 versions)
Lemur manages TLS certificate creation. Prior to 1.9.0, Lemur's LDAP authentication module (lemur/auth/ldap.py) constructs LDAP search filters using unsanitized user input via Python string interpolation. An authenticated LDAP user can inj…
CVE-2026-44305MEDIUMCVSS 6.8EG 6.8✓ Fixed in 1.9.0
2026-05-12
vulnerable: 0.11.0 ... 1.8.2 (17 versions)
Lemur manages TLS certificate creation. Prior to 1.9.0, when LDAP TLS is enabled (LDAP_USE_TLS = True), Lemur's LDAP authentication module unconditionally disables TLS certificate verification at the global ldap module level. This allows a…

Check whether lemur is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for lemur CVEs against the assets you own.

Start Free Scan →