Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00N2g4LWptcDMtOWYyOM4ABCoG
pyrage vulnerable to malicious plugin names, recipients, or identities causing arbitrary binary execution
pyrage uses the Rust age crate for its underlying operations, and age is vulnerable to GHSA-4fg7-vxc8-qx5w.
All details of GHSA-4fg7-vxc8-qx5w are relevant to pyrage for the versions specified in this advisory. See GHSA-4fg7-vxc8-qx5w for full details.
Versions of pyrage before 1.2.0 lack plugin support and are therefore not affected.
An equivalent issue was fixed in the reference Go implementation of age, see advisory GHSA-32gq-x56h-299c.
Thanks to ⬡-49016 for reporting this issue.
Permalink: https://github.com/advisories/GHSA-47h8-jmp3-9f28JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00N2g4LWptcDMtOWYyOM4ABCoG
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 month ago
Updated: about 1 month ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.00045
EPSS Percentile: 0.17541
Identifiers: GHSA-47h8-jmp3-9f28, CVE-2024-56327
References:
- https://github.com/FiloSottile/age/security/advisories/GHSA-32gq-x56h-299c
- https://github.com/str4d/rage/security/advisories/GHSA-4fg7-vxc8-qx5w
- https://github.com/woodruffw/pyrage/security/advisories/GHSA-47h8-jmp3-9f28
- https://nvd.nist.gov/vuln/detail/CVE-2024-56327
- https://github.com/advisories/GHSA-4fg7-vxc8-qx5w
- https://github.com/advisories/GHSA-47h8-jmp3-9f28
Blast Radius: 0.0
Affected Packages
pypi:pyrage
Dependent packages: 6Dependent repositories: 1
Downloads: 6,592 last month
Affected Version Ranges: >= 1.2.0, < 1.2.3
Fixed in: 1.2.3
All affected versions: 1.2.1, 1.2.2
All unaffected versions: 0.0.1, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.1, 1.1.2, 1.2.3