Lucene search

GoogleOSV:GHSA-5RFV-66G4-JR8H

HistorySep 30, 2024 - 5:14 p.m.

RestrictedPython information leakage via `AttributeError.obj` and the `string` module

2024-09-3017:14:00

Google

osv.dev

CVSS4

8.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/SC:N/VI:N/SI:N/VA:N/SA:N

AI Score

6.4

Confidence

High

EPSS

Percentile

9.6%

JSON

Impact

A user can gain access to protected (and potentially sensible) information indirectly via AttributeError.obj and the string module.

Patches

The problem will be fixed in version 7.3.

Workarounds

If the application does not require access to the module string, it can remove it from RestrictedPython.Utilities.utility_builtins or otherwise do not make it available in the restricted execution environment.

References

github.com/zopefoundation/RestrictedPython

github.com/zopefoundation/RestrictedPython/commit/d701cc36cccac36b21fa200f1f2d1945a9a215e6

github.com/zopefoundation/RestrictedPython/security/advisories/GHSA-5rfv-66g4-jr8h

nvd.nist.gov/vuln/detail/CVE-2024-47532

CVSS4

8.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/SC:N/VI:N/SI:N/VA:N/SA:N

AI Score

6.4

Confidence

High

EPSS

Percentile

9.6%

JSON

Related for OSV:GHSA-5RFV-66G4-JR8H