PYSEC-2024-248

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/opencanary/PYSEC-2024-248.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2024-248

Aliases

Published

2024-10-14T21:15:12Z

Modified

2025-05-16T14:56:49.762799Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

OpenCanary, a multi-protocol network honeypot, directly executed commands taken from its config file. Prior to version 0.9.4, where the config file is stored in an unprivileged user directory but the daemon is executed by root, it’s possible for the unprivileged user to change the config file and escalate permissions when root later runs the daemon. Version 0.9.4 contains a fix for the issue.

References

Affected packages

PyPI / opencanary

Package

Name: opencanary; View open source insights on deps.dev
Purl: pkg:pypi/opencanary

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.9.4

Affected versions

0.*

0.2

0.3

0.3.1

0.3.2

0.4

0.5

0.5.1

0.5.2

0.5.4

0.5.5

0.5.6

0.5.7

0.5.8

0.6.0

0.6.1

0.6.2

0.6.3

0.7.1

0.9.0

0.9.1

0.9.2

0.9.3