Headline
GHSA-5rfv-66g4-jr8h: RestrictedPython information leakage via `AttributeError.obj` and the `string` module
Impact
A user can gain access to protected (and potentially sensible) information indirectly via AttributeError.obj and the string module.
Patches
The problem will be fixed in version 7.3.
Workarounds
If the application does not require access to the module string, it can remove it from RestrictedPython.Utilities.utility_builtins or otherwise do not make it available in the restricted execution environment.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-47532
RestrictedPython information leakage via `AttributeError.obj` and the `string` module
Package
pip RestrictedPython (pip)
Impact
A user can gain access to protected (and potentially sensible) information indirectly via AttributeError.obj and the string module.
Patches
The problem will be fixed in version 7.3.
Workarounds
If the application does not require access to the module string, it can remove it from RestrictedPython.Utilities.utility_builtins or otherwise do not make it available in the restricted execution environment.
References
- GHSA-5rfv-66g4-jr8h
- zopefoundation/RestrictedPython@d701cc3
Published to the GitHub Advisory Database
Sep 30, 2024
Last updated
Sep 30, 2024