CVE-2024-47532

Oct. 4, 2024, 1:51 p.m.

None
No Score

Description

RestrictedPython is a restricted execution environment for Python to run untrusted code. A user can gain access to protected (and potentially sensible) information indirectly via AttributeError.obj and the string module. The problem will be fixed in version 7.3. As a workaround, If the application does not require access to the module string, it can remove it from RestrictedPython.Utilities.utility_builtins or otherwise do not make it available in the restricted execution environment.

Product(s) Impacted

Product Versions
RestrictedPython
  • 7.3

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References

https://github.com/zopefoundation/RestrictedPython/commit/d701cc36cccac36b21fa200f1f2d1945a9a215e6
https://github.com/zopefoundation/RestrictedPython/security/advisories/GHSA-5rfv-66g4-jr8h

Tags

security-advisories@github.com
CWE-200
2024-09-30
CVE-2024-47532

Timeline

Published: Sept. 30, 2024, 4:15 p.m.
Last Modified: Oct. 4, 2024, 1:51 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.