Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1jdnA3LWM1ODYtY21mNM0l4g

Withdrawn: Code Injection in loguru

Withdrawn

This advisory has been withdrawn after the maintainers of loguru noted this issue is not a security vulnerability and the CVE has been revoked. We have stopped Dependabot alerts regarding this issue.

Original Description

In versions of loguru up to and including 0.5.3 a lack of sanitization on log serialization can lead to arbitrary code execution. The maintainer disputes the issue, but has altered behavior of the library in commit 4b0070a4f30cbf6d5e12e6274b242b62ea11c81b. See https://github.com/Delgan/loguru/issues/563 for further discussion of the issue. The function in question is intended for internal use only, but is not restricted. This has been patched in version 0.6.0.

Permalink: https://github.com/advisories/GHSA-cvp7-c586-cmf4
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jdnA3LWM1ODYtY21mNM0l4g
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: about 2 years ago
Updated: about 1 year ago

Widthdrawn: about 2 years ago

Identifiers: GHSA-cvp7-c586-cmf4, CVE-2022-0329
References: Repository: https://github.com/delgan/loguru
Blast Radius: 0.0

Affected Packages

pypi:loguru
Dependent packages: 1,874
Dependent repositories: 14,266
Downloads: 22,401,771 last month
Affected Version Ranges: <= 0.5.3
Fixed in: 0.6.0
All affected versions: 0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.5.0, 0.5.1, 0.5.2, 0.5.3
All unaffected versions: 0.6.0, 0.7.0, 0.7.1, 0.7.2