Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01cmZ2LTY2ZzQtanI4aM4AA_3y
RestrictedPython information leakage via `AttributeError.obj` and the `string` module
Impact
A user can gain access to protected (and potentially sensible) information indirectly via AttributeError.obj
and the string
module.
Patches
The problem will be fixed in version 7.3.
Workarounds
If the application does not require access to the module string
, it can remove it from RestrictedPython.Utilities.utility_builtins
or otherwise do not make it available in the restricted execution environment.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01cmZ2LTY2ZzQtanI4aM4AA_3y
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 3 months ago
Updated: 3 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Percentage: 0.00049
EPSS Percentile: 0.19552
Identifiers: GHSA-5rfv-66g4-jr8h, CVE-2024-47532
References:
- https://github.com/zopefoundation/RestrictedPython/security/advisories/GHSA-5rfv-66g4-jr8h
- https://github.com/zopefoundation/RestrictedPython/commit/d701cc36cccac36b21fa200f1f2d1945a9a215e6
- https://nvd.nist.gov/vuln/detail/CVE-2024-47532
- https://github.com/advisories/GHSA-5rfv-66g4-jr8h
Blast Radius: 21.4
Affected Packages
pypi:RestrictedPython
Dependent packages: 15Dependent repositories: 716
Downloads: 2,359,890 last month
Affected Version Ranges: < 7.3
Fixed in: 7.3
All affected versions: 3.4.2, 3.4.3, 3.5.0, 3.5.1, 3.5.2, 3.6.0
All unaffected versions: