Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-5rfv-66g4-jr8h: RestrictedPython information leakage via `AttributeError.obj` and the `string` module

Impact

A user can gain access to protected (and potentially sensible) information indirectly via AttributeError.obj and the string module.

Patches

The problem will be fixed in version 7.3.

Workarounds

If the application does not require access to the module string, it can remove it from RestrictedPython.Utilities.utility_builtins or otherwise do not make it available in the restricted execution environment.

ghsa
Open in Source
#git
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2024-47532

RestrictedPython information leakage via `AttributeError.obj` and the `string` module

Package

pip RestrictedPython (pip)

Impact

A user can gain access to protected (and potentially sensible) information indirectly via AttributeError.obj and the string module.

Patches

The problem will be fixed in version 7.3.

Workarounds

If the application does not require access to the module string, it can remove it from RestrictedPython.Utilities.utility_builtins or otherwise do not make it available in the restricted execution environment.

References

  • GHSA-5rfv-66g4-jr8h
  • zopefoundation/RestrictedPython@d701cc3

Published to the GitHub Advisory Database

Sep 30, 2024

Last updated

Sep 30, 2024

ghsa: Latest News

GHSA-62r2-gcxr-426x: starcitizentools/citizen-skin vulnerable to stored, self-XSS in the "real name" field
ghsa