Insertion of Sensitive Information into Externally-Accessible File or Directory Affecting pyload-ng package, versions [,0.5.0b3.dev77)


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Mature
EPSS
36.43% (98th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-PYLOADNG-6148653
  • published9 Jan 2024
  • disclosed8 Jan 2024
  • creditPinkDraconian

Introduced: 8 Jan 2024

CVE-2024-21644  (opens in a new tab)
CWE-538  (opens in a new tab)

How to fix?

Upgrade pyload-ng to version 0.5.0b3.dev77 or higher.

Overview

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Insertion of Sensitive Information into Externally-Accessible File or Directory due to improper handling of a specific URL which exposes the Flask config, including the SECRET_KEY variable. An attacker can gain access to sensitive information by navigating to the exposed URL without authentication.

CVSS Scores

version 3.1