CVE-2024-56327

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-56327

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-56327.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-56327

Aliases

GHSA-47h8-jmp3-9f28

Downstream

UBUNTU-CVE-2024-56327

Related

Published

2024-12-19T22:24:37Z

Modified

2025-10-14T14:35:11Z

Severity

7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Malicious plugin names, recipients, or identities can cause arbitrary binary execution in pyrage

Details

pyrage is a set of Python bindings for the rage file encryption library (age in Rust). pyrage uses the Rust age crate for its underlying operations, and age is vulnerable to GHSA-4fg7-vxc8-qx5w. All details of GHSA-4fg7-vxc8-qx5w are relevant to pyrage for the versions specified in this advisory. See GHSA-4fg7-vxc8-qx5w for full details. Versions of pyrage before 1.2.0 lack plugin support and are therefore not affected. An equivalent issue was fixed in the reference Go implementation of age, see advisory GHSA-32gq-x56h-299c. This issue has been addressed in version 1.2.3 and all users are advised to update. There are no known workarounds for this vulnerability.

References

Affected packages

Git / github.com/woodruffw/pyrage

Affected ranges

Type: GIT
Repo: https://github.com/woodruffw/pyrage
Events: Introduced

ec398c4a38a1d2e184458c96153df89e606b0ba5

Fixed

2a9bffd953403684b384b95ca93e345b3ecc9bd5