Information Exposure Affecting pyramid package, versions [2.0,2.0.2)
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Information Exposure vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-PYTHON-PYRAMID-5862030
- published26 Aug 2023
- disclosed25 Aug 2023
- creditUnknown
Introduced: 25 Aug 2023
CVE-2023-40587 (opens in a new tab)How to fix?
Upgrade pyramid to version 2.0.2 or higher.
Overview
pyramid is a Python Web Framework.
Affected versions of this package are vulnerable to Information Exposure. When the os.path.normpath function is used in conjunction with a Pyramid static view with a full filesystem path, an attacker can disclose the index.html file by exploiting a path traversal vulnerability. This is only exploitable if an index.html file is located exactly one directory above the location of the static view's file system path and the user is using Python 3.11.
Mitigation: This vulnerability can be mitigated by using a version of Python 3 that is not affected, downgrading to Python 3.10 series temporarily, or waiting until Python 3.11.5 is released and upgrading to the latest version of Python 3.11 series.
Note This vulnerability is caused by a specific implementation in the pyramid library of the underlining vulnerable code in Python as per CVE-2023-41105