Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jdnA3LWM1ODYtY21mNM0l4g
Withdrawn: Code Injection in loguru
Withdrawn
This advisory has been withdrawn after the maintainers of loguru noted this issue is not a security vulnerability and the CVE has been revoked. We have stopped Dependabot alerts regarding this issue.
Original Description
In versions of loguru up to and including 0.5.3 a lack of sanitization on log serialization can lead to arbitrary code execution. The maintainer disputes the issue, but has altered behavior of the library in commit 4b0070a4f30cbf6d5e12e6274b242b62ea11c81b. See https://github.com/Delgan/loguru/issues/563 for further discussion of the issue. The function in question is intended for internal use only, but is not restricted. This has been patched in version 0.6.0.
Permalink: https://github.com/advisories/GHSA-cvp7-c586-cmf4JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jdnA3LWM1ODYtY21mNM0l4g
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 2 years ago
Updated: over 1 year ago Widthdrawn: over 2 years ago
Identifiers: GHSA-cvp7-c586-cmf4, CVE-2022-0329
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-0329
- https://github.com/delgan/loguru/commit/4b0070a4f30cbf6d5e12e6274b242b62ea11c81b
- https://huntr.dev/bounties/1-pypi-loguru
- https://github.com/Delgan/loguru/issues/563
- https://tomforb.es/cve-2022-0329-and-the-problems-with-automated-vulnerability-management/
- https://github.com/advisories/GHSA-cvp7-c586-cmf4
Blast Radius: 0.0
Affected Packages
pypi:loguru
Dependent packages: 2,592Dependent repositories: 14,266
Downloads: 35,138,291 last month
Affected Version Ranges: <= 0.5.3
Fixed in: 0.6.0
All affected versions: 0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.5.0, 0.5.1, 0.5.2, 0.5.3
All unaffected versions: 0.6.0, 0.7.0, 0.7.1, 0.7.2