Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12Y2NnLWY0Z3AtNDV4Oc4AA3S2
Eval Injection in fastbots
Impact
An attacker could modify the locators.ini locator file with python code that without proper validation it's executed and it could lead to rce. The vulnerability is in the function def locator(self, locator_name: str) in page.py. The vulnerable code that load and execute directly from the file without validation it's:
return eval(self._bot.locator(self._page_name, locator_name))
Patches
In order to mitigate this issue it's important to upgrade to fastbots version 0.1.5 or above.
References
Merge that fix also this issue
Permalink: https://github.com/advisories/GHSA-vccg-f4gp-45x9JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12Y2NnLWY0Z3AtNDV4Oc4AA3S2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
CVSS Score: 8.4
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-vccg-f4gp-45x9, CVE-2023-48699
References:
- https://github.com/ubertidavide/fastbots/security/advisories/GHSA-vccg-f4gp-45x9
- https://nvd.nist.gov/vuln/detail/CVE-2023-48699
- https://github.com/ubertidavide/fastbots/pull/3#issue-2003080806
- https://github.com/ubertidavide/fastbots/commit/73eb03bd75365e112b39877e26ef52853f5e9f57
- https://github.com/advisories/GHSA-vccg-f4gp-45x9
Blast Radius: 2.5
Affected Packages
pypi:fastbots
Dependent packages: 0Dependent repositories: 2
Downloads: 1,064 last month
Affected Version Ranges: < 0.1.5
Fixed in: 0.1.5
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4
All unaffected versions: 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7