GHSA-7xc5-ggpp-g249

Suggest an improvement
Source
https://github.com/advisories/GHSA-7xc5-ggpp-g249
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-7xc5-ggpp-g249/GHSA-7xc5-ggpp-g249.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-7xc5-ggpp-g249
Aliases
Published
2021-04-20T16:13:24Z
Modified
2024-10-18T22:22:40.219895Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
pwntools Server-Side Template Injection (SSTI) vulnerability
Details

This affects the package pwntools before 4.3.1. The shellcraft generator for affected versions of this module are vulnerable to Server-Side Template Injection (SSTI), which can lead to remote code execution.

Database specific 
{
    "nvd_published_at": "2021-01-08T12:15:00Z",
    "cwe_ids": [
        "CWE-74"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-06T23:11:00Z"
}
References

Affected packages

PyPI / pwntools

Package

Name
pwntools
View open source insights on deps.dev
Purl
pkg:pypi/pwntools

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.3.1

Affected versions

2.*

2.0
2.1.0
2.1.1
2.1.2
2.1.3
2.2

3.*

3.0.0
3.0.1
3.0.2
3.0.4
3.1.0b0
3.1.0b1
3.1.0b2
3.1.0b3
3.1.0
3.1.1
3.2.0b0
3.2.0b2
3.2.0b3
3.2.0b4
3.2.0b5
3.2.0
3.2.1
3.3.0b0
3.3.0
3.3.1
3.3.2
3.3.3
3.3.4
3.4.0b0
3.4.0b1
3.4.0b2
3.4.0b3
3.4.0b4
3.4.0
3.4.1
3.5.0b0
3.5.0b1
3.5.0
3.5.1
3.6.0b0
3.6.0b1
3.6.0
3.6.1
3.7.0b0
3.7.0b1
3.7.0
3.7.1
3.8.0b0
3.8.0b1
3.8.0
3.9.0b0
3.9.0
3.9.1
3.9.2
3.9.3
3.10.0b0
3.10.0b1
3.10.0b2
3.10.0
3.11.0b0
3.11.0
3.12.0b0
3.12.0
3.12.1
3.12.2
3.13.0b0
3.13.0

4.*

4.0.0b0
4.0.0
4.0.1
4.1.0b0
4.1.0
4.1.1
4.1.2
4.1.3
4.1.4
4.1.5
4.1.6
4.1.7
4.2.0b0
4.2.0
4.2.1
4.2.2
4.3.0b0
4.3.0