Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qcjgzLXZyNGotbXA2cM4AATWv
web2py exposure of sensitive information
web2py before 2.14.2 allows remote attackers to obtain the session_cookie_key value via a direct request to examples/simple_examples/status. NOTE: this issue can be leveraged by remote attackers to execute arbitrary code using CVE-2016-3957.
Permalink: https://github.com/advisories/GHSA-jr83-vr4j-mp6pJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qcjgzLXZyNGotbXA2cM4AATWv
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 5 months ago
CVSS Score: 5.5
CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-jr83-vr4j-mp6p, CVE-2016-3954
References:
- https://nvd.nist.gov/vuln/detail/CVE-2016-3954
- https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/
- https://usn.ubuntu.com/4030-1/
- https://github.com/web2py/web2py/commit/0820926b500a321060ef6a76ce89fd35a252f8b0
- https://github.com/advisories/GHSA-jr83-vr4j-mp6p
Blast Radius: 7.3
Affected Packages
pypi:web2py
Dependent packages: 0Dependent repositories: 21
Downloads: 180 last month
Affected Version Ranges: < 2.14.2
Fixed in: 2.14.2
All affected versions: 1.96.4, 1.98.2, 2.1.1
All unaffected versions: