GHSA-7xc5-ggpp-g249

Suggest an improvement
Source
https://github.com/advisories/GHSA-7xc5-ggpp-g249
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-7xc5-ggpp-g249/GHSA-7xc5-ggpp-g249.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-7xc5-ggpp-g249
Aliases
Published
2021-04-20T16:13:24Z
Modified
2024-02-16T08:18:12.922232Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
pwntools Server-Side Template Injection (SSTI) vulnerability
Details

This affects the package pwntools before 4.3.1. The shellcraft generator for affected versions of this module are vulnerable to Server-Side Template Injection (SSTI), which can lead to remote code execution.

References

Affected packages

PyPI / pwntools

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.3.1

Affected versions

2.*

2.0
2.1.0
2.1.1
2.1.2
2.1.3
2.2

3.*

3.0.0
3.0.1
3.0.2
3.0.4
3.1.0b0
3.1.0b1
3.1.0b2
3.1.0b3
3.1.0
3.1.1
3.2.0b0
3.2.0b2
3.2.0b3
3.2.0b4
3.2.0b5
3.2.0
3.2.1
3.3.0b0
3.3.0
3.3.1
3.3.2
3.3.3
3.3.4
3.4.0b0
3.4.0b1
3.4.0b2
3.4.0b3
3.4.0b4
3.4.0
3.4.1
3.5.0b0
3.5.0b1
3.5.0
3.5.1
3.6.0b0
3.6.0b1
3.6.0
3.6.1
3.7.0b0
3.7.0b1
3.7.0
3.7.1
3.8.0b0
3.8.0b1
3.8.0
3.9.0b0
3.9.0
3.9.1
3.9.2
3.9.3
3.10.0b0
3.10.0b1
3.10.0b2
3.10.0
3.11.0b0
3.11.0
3.12.0b0
3.12.0
3.12.1
3.12.2
3.13.0b0
3.13.0

4.*

4.0.0b0
4.0.0
4.0.1
4.1.0b0
4.1.0
4.1.1
4.1.2
4.1.3
4.1.4
4.1.5
4.1.6
4.1.7
4.2.0b0
4.2.0
4.2.1
4.2.2
4.3.0b0
4.3.0

Ecosystem specific

{
    "affected_functions": [
        "pwnlib.shellcraft.pretty",
        "pwnlib.constants.ConstantsModule.eval"
    ]
}