Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01cmZ2LTY2ZzQtanI4aM4AA_3y
RestrictedPython information leakage via `AttributeError.obj` and the `string` module
Impact
A user can gain access to protected (and potentially sensible) information indirectly via AttributeError.obj and the string module.
Patches
The problem will be fixed in version 7.3.
Workarounds
If the application does not require access to the module string, it can remove it from RestrictedPython.Utilities.utility_builtins or otherwise do not make it available in the restricted execution environment.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01cmZ2LTY2ZzQtanI4aM4AA_3y
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 months ago
Updated: about 2 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-5rfv-66g4-jr8h, CVE-2024-47532
References:
- https://github.com/zopefoundation/RestrictedPython/security/advisories/GHSA-5rfv-66g4-jr8h
- https://github.com/zopefoundation/RestrictedPython/commit/d701cc36cccac36b21fa200f1f2d1945a9a215e6
- https://nvd.nist.gov/vuln/detail/CVE-2024-47532
- https://github.com/advisories/GHSA-5rfv-66g4-jr8h
Blast Radius: 21.4
Affected Packages
pypi:RestrictedPython
Dependent packages: 15Dependent repositories: 716
Downloads: 1,958,580 last month
Affected Version Ranges: < 7.3
Fixed in: 7.3
All affected versions: 3.4.2, 3.4.3, 3.5.0, 3.5.1, 3.5.2, 3.6.0
All unaffected versions: