Описание
Searchor CLI's Search vulnerable to Arbitrary Code using Eval
An issue in Arjun Sharda's Searchor before version v.2.4.2 allows an attacker to execute arbitrary code via a crafted script to the eval() function in Searchor's src/searchor/main.py file, affecting the search feature in Searchor's CLI (Command Line Interface).
Impact
Versions equal to, or below 2.4.1 are affected.
Patches
Versions above, or equal to 2.4.2 have patched the vulnerability.
References
https://github.com/nikn0laty/Exploit-for-Searchor-2.4.0-Arbitrary-CMD-Injection https://github.com/nexis-nexis/Searchor-2.4.0-POC-Exploit- https://github.com/jonnyzar/POC-Searchor-2.4.2 https://github.com/ArjunSharda/Searchor/pull/130
Ссылки
- https://github.com/ArjunSharda/Searchor/security/advisories/GHSA-66m2-493m-crh2
- https://nvd.nist.gov/vuln/detail/CVE-2023-43364
- https://github.com/ArjunSharda/Searchor/pull/130
- https://github.com/ArjunSharda/Searchor/commit/16016506f7bf92b0f21f51841d599126d6fcd15b
- https://github.com/advisories/GHSA-66m2-493m-crh2
- https://github.com/nexis-nexis/Searchor-2.4.0-POC-Exploit-
- https://github.com/nikn0laty/Exploit-for-Searchor-2.4.0-Arbitrary-CMD-Injection
- https://github.com/pypa/advisory-database/tree/main/vulns/searchor/PYSEC-2023-262.yaml
Пакеты
searchor
<= 2.4.1
2.4.2
Связанные уязвимости
main.py in Searchor before 2.4.2 uses eval on CLI input, which may cause unexpected code execution.