CVE-2024-47532

30.09.2024, 16:15

RestrictedPython is a restricted execution environment for Python to run untrusted code. A user can gain access to protected (and potentially sensible) information indirectly via AttributeError.obj and the string module. The problem will be fixed in version 7.3. As a workaround, If the application does not require access to the module string, it can remove it from RestrictedPython.Utilities.utility_builtins or otherwise do not make it available in the restricted execution environment.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.5 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
GitHub_M	CNA	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 61%

Vendor	Product	Version
zope	restrictedpython	𝑥 < 7.3

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

restrictedpython

bullseye	postponed
bookworm	no-dsa
sid	8.0-1 fixed
trixie	8.0-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

restrictedpython

plucky	not-affected
oracular	Fixed 6.2-1ubuntu0.24.10.1 released
noble	Fixed 6.2-1ubuntu0.24.04.1~esm1 released
jammy	Fixed 4.0~b3-3ubuntu0.1~esm1 released
focal	Fixed 4.0~b3-2ubuntu0.1~esm1 released
bionic	not-affected
xenial	not-affected

Known Exploits!

https://github.com/zopefoundation/RestrictedPython/security/advisories/GHSA-5rfv-66g4-jr8h

Common Weakness Enumeration

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References

https://github.com/zopefoundation/RestrictedPython/commit/d701cc36cccac36b21fa200f1f2d1945a9a215e6

https://github.com/zopefoundation/RestrictedPython/security/advisories/GHSA-5rfv-66g4-jr8h