Information Exposure Affecting taegis-magic package, versions [,2024.10.8)

Q: How to fix?

Upgrade taegis-magic to version 2024.10.8 or higher.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-PYTHON-TAEGISMAGIC-8340642
published4 Nov 2024
disclosed1 Nov 2024
creditUnknown

Report a new vulnerability Found a mistake?

Introduced: 1 Nov 2024

CWE-214 (opens in a new tab)

How to fix?

Upgrade taegis-magic to version 2024.10.8 or higher.

Overview

taegis-magic is a Taegis IPython Magics

Affected versions of this package are vulnerable to Information Exposure due to the exposure of inspect.currentframe().f_locals in the search() function in events.py, which exposes a GraphQLService object. This may include sensitive internal values such as tenant IDs, regions, or other private data, depending on the context in which the function is called.

References

GitHub Commit

CVSS Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
Low
User Interaction (UI)
None

Confidentiality (VC)
Low
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None