exotel-py 0.1.6 includes code execution backdoor inserted by a third party

2022-08-2800:00:26

GitHub Advisory Database

github.com

exotel-py

pypi

code execution

backdoor

downgrade

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.004

Percentile

74.2%

JSON

The exotel (aka exotel-py) package in PyPI as of 0.1.6 includes a code execution backdoor inserted by a third party. Users should downgrade to version 0.1.5 to avoid the problem.

Affected configurations

Vulners

Node

exotel_projectexotelMatch0.1.6python

VendorProductVersionCPE
exotel_projectexotel0.1.6cpe:2.3:a:exotel_project:exotel:0.1.6:*:*:*:*:python:*:*

Vendor	Product	Version	CPE
exotel_project	exotel	0.1.6	cpe:2.3:a:exotel_project:exotel:0.1.6:::::python::

References

github.com/advisories/GHSA-cv6j-9835-p7fh

github.com/jertel/elastalert2/pull/931

github.com/sarathsp06/exotel-py/issues/10

inspector.pypi.io/project/exotel/0.1.6/packages/8b/ed/9ebeb34d4adb9b01151d73ccfde9c1cb2d629c3b146953c8727559a65446/exotel-0.1.6.tar.gz/exotel-0.1.6/setup.py

nvd.nist.gov/vuln/detail/CVE-2022-38792

pypi.org/project/exotel/