Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS02Nm0yLTQ5M20tY3JoMs4AA2CV

Searchor CLI's Search vulnerable to Arbitrary Code using Eval

An issue in Arjun Sharda's Searchor before version v.2.4.2 allows an attacker to
execute arbitrary code via a crafted script to the eval() function in Searchor's src/searchor/main.py file, affecting the search feature in Searchor's CLI (Command Line Interface).

Impact

Versions equal to, or below 2.4.1 are affected.

Patches

Versions above, or equal to 2.4.2 have patched the vulnerability.

References

https://github.com/nikn0laty/Exploit-for-Searchor-2.4.0-Arbitrary-CMD-Injection
https://github.com/nexis-nexis/Searchor-2.4.0-POC-Exploit-
https://github.com/jonnyzar/POC-Searchor-2.4.2
https://github.com/ArjunSharda/Searchor/pull/130

Permalink: https://github.com/advisories/GHSA-66m2-493m-crh2
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02Nm0yLTQ5M20tY3JoMs4AA2CV
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 7 months ago
Updated: 5 months ago

CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-66m2-493m-crh2, CVE-2023-43364
References:

Repository: https://github.com/ArjunSharda/Searchor
Blast Radius: 0.0

Affected Packages

pypi:searchor

Dependent packages: 0
Dependent repositories: 1
Downloads: 159 last month
Affected Version Ranges: <= 2.4.1
Fixed in: 2.4.2
All affected versions: 1.0.3, 1.0.4, 1.0.5, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.4.0, 2.0.0, 2.0.1, 2.0.2, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1
All unaffected versions: 2.4.2, 2.4.3, 2.4.4, 2.5.0, 2.5.1, 2.5.2