Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2023-37271

Опубликовано: 11 июл. 2023
Источник: nvd
CVSS3: 8.4
CVSS3: 9.9
EPSS Низкий

Описание

RestrictedPython is a tool that helps to define a subset of the Python language which allows users to provide a program input into a trusted environment. RestrictedPython does not check access to stack frames and their attributes. Stack frames are accessible within at least generators and generator expressions, which are allowed inside RestrictedPython. Prior to versions 6.1 and 5.3, an attacker with access to a RestrictedPython environment can write code that gets the current stack frame in a generator and then walk the stack all the way beyond the RestrictedPython invocation boundary, thus breaking out of the restricted sandbox and potentially allowing arbitrary code execution in the Python interpreter. All RestrictedPython deployments that allow untrusted users to write Python code in the RestrictedPython environment are at risk. In terms of Zope and Plone, this would mean deployments where the administrator allows untrusted users to create and/or edit objects of type `Script (Pytho

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:zope:restrictedpython:*:*:*:*:*:*:*:*
Версия до 5.3 (исключая)
cpe:2.3:a:zope:restrictedpython:6.0:-:*:*:*:*:*:*
cpe:2.3:a:zope:restrictedpython:6.0:a1.dev0:*:*:*:*:*:*

EPSS

Процентиль: 46%
0.0023
Низкий

8.4 High

CVSS3

9.9 Critical

CVSS3

Дефекты

CWE-913

Связанные уязвимости

ubuntu логотип

CVE-2023-37271

CVSS3: 8.4
ubuntu
больше 2 лет назад

RestrictedPython is a tool that helps to define a subset of the Python language which allows users to provide a program input into a trusted environment. RestrictedPython does not check access to stack frames and their attributes. Stack frames are accessible within at least generators and generator expressions, which are allowed inside RestrictedPython. Prior to versions 6.1 and 5.3, an attacker with access to a RestrictedPython environment can write code that gets the current stack frame in a generator and then walk the stack all the way beyond the RestrictedPython invocation boundary, thus breaking out of the restricted sandbox and potentially allowing arbitrary code execution in the Python interpreter. All RestrictedPython deployments that allow untrusted users to write Python code in the RestrictedPython environment are at risk. In terms of Zope and Plone, this would mean deployments where the administrator allows untrusted users to create and/or edit objects of type `Script (Py...

debian логотип

CVE-2023-37271

CVSS3: 8.4
debian
больше 2 лет назад

RestrictedPython is a tool that helps to define a subset of the Python ...

github логотип

GHSA-wqc8-x2pr-7jqh

CVSS3: 8.4
github
больше 2 лет назад

RestrictedPython vulnerable to arbitrary code execution via stack frame sandbox escape

EPSS

Процентиль: 46%
0.0023
Низкий

8.4 High

CVSS3

9.9 Critical

CVSS3

Дефекты

CWE-913