Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS0yODk0LXFjcWYtZzIzZ84AA2Ml

asyncua Improper Authentication vulnerability

Versions of the package asyncua before 0.9.96 are vulnerable to Improper Authentication such that it is possible to access Address Space without encryption and authentication.

Note:

This issue is a result of missing checks for services that require an active session.

Permalink: https://github.com/advisories/GHSA-2894-qcqf-g23g
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yODk0LXFjcWYtZzIzZ84AA2Ml
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: about 1 year ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Percentage: 0.00133
EPSS Percentile: 0.49527

Identifiers: GHSA-2894-qcqf-g23g, CVE-2023-26150
References:

Repository: https://github.com/FreeOpcUa/opcua-asyncio
Blast Radius: 12.5

Affected Packages

pypi:asyncua

Dependent packages: 8
Dependent repositories: 46
Downloads: 123,263 last month
Affected Version Ranges: < 0.9.96
Fixed in: 0.9.96
All affected versions: 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.6, 0.9.8, 0.9.9, 0.9.10, 0.9.11, 0.9.12, 0.9.14, 0.9.90, 0.9.91, 0.9.92, 0.9.93, 0.9.94, 0.9.95
All unaffected versions: 0.9.96, 0.9.97, 0.9.98, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5