GHSA-xjw2-6jm9-rf67

Suggest an improvement
Source
https://github.com/advisories/GHSA-xjw2-6jm9-rf67
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-xjw2-6jm9-rf67/GHSA-xjw2-6jm9-rf67.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-xjw2-6jm9-rf67
Aliases
Published
2023-08-30T20:47:58Z
Modified
2024-02-16T08:18:58.766349Z
Severity
  • 8.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L CVSS Calculator
Summary
Sandbox escape via various forms of "format".
Details

Impact

Python's "format" functionality allows someone controlling the format string to "read" all objects accessible through recursive attribute lookup and subscription from objects he can access. This can lead to critical information disclosure. With RestrictedPython, the format functionality is available via the format and format_map methods of str (and unicode) (accessed either via the class or its instances) and via string.Formatter. All known versions of RestrictedPython are vulnerable.

Patches

The issue will be fixed in 5.4 and 6.2.

Workarounds

There are no workarounds to fix the issue without upgrading.

References

  • https://docs.python.org/3/library/stdtypes.html#str.format_map
  • http://lucumr.pocoo.org/2016/12/29/careful-with-str-format/
  • https://www.exploit-db.com/exploits/51580

For more information

If you have any questions or comments about this advisory:

Credits

Thanks for analysing and reporting the go to:

  • Abhishek Govindarasu
  • Ankush Menat
  • Ward Theunisse
References

Affected packages

PyPI / restrictedpython

Package

Name
restrictedpython
View open source insights on deps.dev
Purl
pkg:pypi/restrictedpython

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.4

Affected versions

3.*

3.4.2
3.4.3
3.5.0
3.5.1
3.5.2
3.6.0a1
3.6.0

4.*

4.0a1
4.0a2
4.0a3
4.0b1
4.0b2
4.0b3
4.0b4
4.0b5
4.0b6
4.0b7
4.0b8
4.0

5.*

5.0
5.1
5.2a1.dev0
5.2
5.3a1.dev0
5.3

Database specific

{
    "last_known_affected_version_range": "<= 5.3"
}

PyPI / restrictedpython

Package

Name
restrictedpython
View open source insights on deps.dev
Purl
pkg:pypi/restrictedpython

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0
Fixed
6.2

Affected versions

6.*

6.0
6.1

Database specific

{
    "last_known_affected_version_range": "<= 6.1"
}