Workflow

PyPi: Restrictedpython

CVE-2023-41039

Safety vulnerability ID: 60840

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Aug 30, 2023 Updated at Mar 14, 2024
Scan your Python projects for vulnerabilities →

Advisory

RestrictedPython 6.2 and 5.4 include a fix for an Information Disclosure vulnerability. Python's "format" functionality allows someone controlling the format string to "read" all objects accessible through recursive attribute lookup and subscription from objects he can access. This can lead to critical information disclosure. With 'RestrictedPython', the format functionality is available via the 'format' and 'format_map' methods of 'str' (and 'Unicode') and via 'string.Formatter'.
https://github.com/advisories/GHSA-xjw2-6jm9-rf67

Affected package

restrictedpython

Latest version: 7.1

RestrictedPython is a defined subset of the Python language which allows to provide a program input into a trusted environment.

Affected versions

Fixed versions

Vulnerability changelog

RestrictedPython is a restricted execution environment for Python to run untrusted code. Python's "format" functionality allows someone controlling the format string to "read" all objects accessible through recursive attribute lookup and subscription from objects he can access. This can lead to critical information disclosure. With `RestrictedPython`, the format functionality is available via the `format` and `format_map` methods of `str` (and `unicode`) (accessed either via the class or its instances) and via `string.Formatter`. All known versions of `RestrictedPython` are vulnerable. This issue has been addressed in commit `4134aedcff1` which has been included in the 5.4 and 6.2 releases. Users are advised to upgrade. There are no known workarounds for this vulnerability. See CVE-2023-41039.


MISC:https://github.com/zopefoundation/RestrictedPython/commit/4134aedcff17c977da7717693ed89ce56d54c120: https://github.com/zopefoundation/RestrictedPython/commit/4134aedcff17c977da7717693ed89ce56d54c120
MISC:https://github.com/zopefoundation/RestrictedPython/security/advisories/GHSA-xjw2-6jm9-rf67: https://github.com/zopefoundation/RestrictedPython/security/advisories/GHSA-xjw2-6jm9-rf67

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 7.7

CVSS v3 Details

HIGH 7.7
Attack Vector (AV)
NETWORK
Attack Complexity (AC)
LOW
Privileges Required (PR)
LOW
User Interaction (UI)
NONE
Scope (S)
CHANGED
Confidentiality Impact (C)
HIGH
Integrity Impact (I)
NONE
Availability Availability (A)
NONE