Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02N3IzLWg4OTktOXc5Nc4AArT7
Embedded Malicious Code in ctx
The ctx hosted project on PyPI was taken over via user account compromise and replaced with a malicious project which contained runtime code which collected the content of os.environ.items() when instantiating Ctx objects.
Permalink: https://github.com/advisories/GHSA-67r3-h899-9w95JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02N3IzLWg4OTktOXc5Nc4AArT7
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago
Identifiers: GHSA-67r3-h899-9w95
References:
- https://github.com/pypa/advisory-database/tree/main/vulns/ctx/PYSEC-2022-199.yaml
- https://python-security.readthedocs.io/pypi-vuln/index-2022-05-24-ctx-domain-takeover.html
- https://github.com/advisories/GHSA-67r3-h899-9w95
Affected Packages
pypi:ctx
Dependent packages: 0Dependent repositories: 14
Downloads: 0
Affected Version Ranges: >= 0.1.2-1
No known fixed version
All affected versions: 0.1.2, 0.2.1, 0.2.2