Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS02N3IzLWg4OTktOXc5Nc4AArT7

Embedded Malicious Code in ctx

The ctx hosted project on PyPI was taken over via user account compromise and replaced with a malicious project which contained runtime code which collected the content of os.environ.items() when instantiating Ctx objects.

Permalink: https://github.com/advisories/GHSA-67r3-h899-9w95
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02N3IzLWg4OTktOXc5Nc4AArT7
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago

Identifiers: GHSA-67r3-h899-9w95
References:

https://github.com/pypa/advisory-database/tree/main/vulns/ctx/PYSEC-2022-199.yaml
https://python-security.readthedocs.io/pypi-vuln/index-2022-05-24-ctx-domain-takeover.html
https://github.com/advisories/GHSA-67r3-h899-9w95

Blast Radius: 0.0

Affected Packages

pypi:ctx

Dependent packages: 0
Dependent repositories: 14
Downloads: 0
Affected Version Ranges: >= 0.1.2-1
No known fixed version
All affected versions: 0.1.2, 0.2.1, 0.2.2