Lucene search

K
veracodeVeracode Vulnerability DatabaseVERACODE:47683
HistoryJun 21, 2024 - 7:01 a.m.

Remote Code Execution (RCE)

2024-06-2107:01:58
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
11
js2py
vulnerability
disable_pyimport
remote code execution
api calls

CVSS3

5.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

AI Score

7.7

Confidence

Low

EPSS

0.001

Percentile

22.7%

js2py is vulnerable to Remote Code Execution (RCE). The vulnerability is due to the js2py.disable_pyimport() function failing to prevent JS sandbox escape, which allows an attacker to send crafted API calls which results in arbitrary code execution.

Affected configurations

Vulners
Node
veracodejs2pyRange0.740.74
OR
veracodejs2pyRange0.740.74
VendorProductVersionCPE
veracodejs2py*cpe:2.3:a:veracode:js2py:*:*:*:*:*:*:*:*

CVSS3

5.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

AI Score

7.7

Confidence

Low

EPSS

0.001

Percentile

22.7%