Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02Nm0yLTQ5M20tY3JoMs4AA2CV
Searchor CLI's Search vulnerable to Arbitrary Code using Eval
An issue in Arjun Sharda's Searchor before version v.2.4.2 allows an attacker to
execute arbitrary code via a crafted script to the eval() function in Searchor's src/searchor/main.py file, affecting the search feature in Searchor's CLI (Command Line Interface).
Impact
Versions equal to, or below 2.4.1 are affected.
Patches
Versions above, or equal to 2.4.2 have patched the vulnerability.
References
https://github.com/nikn0laty/Exploit-for-Searchor-2.4.0-Arbitrary-CMD-Injection
https://github.com/nexis-nexis/Searchor-2.4.0-POC-Exploit-
https://github.com/jonnyzar/POC-Searchor-2.4.2
https://github.com/ArjunSharda/Searchor/pull/130
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02Nm0yLTQ5M20tY3JoMs4AA2CV
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 1 year ago
Updated: about 2 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.00192
EPSS Percentile: 0.57689
Identifiers: GHSA-66m2-493m-crh2, CVE-2023-43364
References:
- https://github.com/ArjunSharda/Searchor/security/advisories/GHSA-66m2-493m-crh2
- https://github.com/ArjunSharda/Searchor/pull/130
- https://github.com/ArjunSharda/Searchor/commit/16016506f7bf92b0f21f51841d599126d6fcd15b
- https://github.com/nexis-nexis/Searchor-2.4.0-POC-Exploit-
- https://github.com/nikn0laty/Exploit-for-Searchor-2.4.0-Arbitrary-CMD-Injection
- https://nvd.nist.gov/vuln/detail/CVE-2023-43364
- https://github.com/advisories/GHSA-66m2-493m-crh2
- https://github.com/pypa/advisory-database/tree/main/vulns/searchor/PYSEC-2023-262.yaml
Blast Radius: 0.0
Affected Packages
pypi:searchor
Dependent packages: 0Dependent repositories: 1
Downloads: 863 last month
Affected Version Ranges: <= 2.4.1
Fixed in: 2.4.2
All affected versions: 1.0.3, 1.0.4, 1.0.5, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.4.0, 2.0.0, 2.0.1, 2.0.2, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1
All unaffected versions: 2.4.2, 2.4.3, 2.4.4, 2.5.0, 2.5.1, 2.5.2