8.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
0.001 Low
EPSS
Percentile
21.9%
RestrictedPython is a restricted execution environment for Python to run
untrusted code. Python’s “format” functionality allows someone controlling
the format string to “read” all objects accessible through recursive
attribute lookup and subscription from objects he can access. This can lead
to critical information disclosure. With RestrictedPython
, the format
functionality is available via the format
and format_map
methods of
str
(and unicode
) (accessed either via the class or its instances) and
via string.Formatter
. All known versions of RestrictedPython
are
vulnerable. This issue has been addressed in commit 4134aedcff1
which has
been included in the 5.4 and 6.2 releases. Users are advised to upgrade.
There are no known workarounds for this vulnerability.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | restrictedpython | < any | UNKNOWN |
ubuntu | 20.04 | noarch | restrictedpython | < any | UNKNOWN |
ubuntu | 22.04 | noarch | restrictedpython | < any | UNKNOWN |
ubuntu | 23.10 | noarch | restrictedpython | < any | UNKNOWN |
ubuntu | 24.04 | noarch | restrictedpython | < any | UNKNOWN |
ubuntu | 16.04 | noarch | restrictedpython | < any | UNKNOWN |
github.com/zopefoundation/RestrictedPython/commit/4134aedcff17c977da7717693ed89ce56d54c120
github.com/zopefoundation/RestrictedPython/security/advisories/GHSA-xjw2-6jm9-rf67
launchpad.net/bugs/cve/CVE-2023-41039
nvd.nist.gov/vuln/detail/CVE-2023-41039
security-tracker.debian.org/tracker/CVE-2023-41039
www.cve.org/CVERecord?id=CVE-2023-41039