CVE-2023-41039

2023-08-3000:00:00

ubuntu.com

restrictedpython

python

format method

information disclosure

vulnerability

upgrade

8.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L

0.001 Low

EPSS

Percentile

21.9%

JSON

RestrictedPython is a restricted execution environment for Python to run
untrusted code. Python’s “format” functionality allows someone controlling
the format string to “read” all objects accessible through recursive
attribute lookup and subscription from objects he can access. This can lead
to critical information disclosure. With RestrictedPython, the format
functionality is available via the format and format_map methods of
str (and unicode) (accessed either via the class or its instances) and
via string.Formatter. All known versions of RestrictedPython are
vulnerable. This issue has been addressed in commit 4134aedcff1 which has
been included in the 5.4 and 6.2 releases. Users are advised to upgrade.
There are no known workarounds for this vulnerability.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchrestrictedpython< anyUNKNOWN
ubuntu20.04noarchrestrictedpython< anyUNKNOWN
ubuntu22.04noarchrestrictedpython< anyUNKNOWN
ubuntu23.10noarchrestrictedpython< anyUNKNOWN
ubuntu24.04noarchrestrictedpython< anyUNKNOWN
ubuntu16.04noarchrestrictedpython< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	restrictedpython	< any	UNKNOWN
ubuntu	20.04	noarch	restrictedpython	< any	UNKNOWN
ubuntu	22.04	noarch	restrictedpython	< any	UNKNOWN
ubuntu	23.10	noarch	restrictedpython	< any	UNKNOWN
ubuntu	24.04	noarch	restrictedpython	< any	UNKNOWN
ubuntu	16.04	noarch	restrictedpython	< any	UNKNOWN