Arbitrary Code Execution Affecting web2py package, versions [,2.14.2)
Threat Intelligence
EPSS
2.07% (90th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-WEB2PY-42083
- published 21 Mar 2018
- disclosed 6 Feb 2018
- credit Unknown
How to fix?
Upgrade web2py
to version 2.14.2 or higher.
Overview
web2py is an open source full-stack enterprise framework for agile development of secure database-driven web-based applications, written and programmable in Python.
Affected versions of this package are vulnerable to Arbitrary Code Execution. The secure_load
function in gluon/utils.py
uses pickle.loads
to deserialize session information stored in cookies, which might allow remote attackers to execute arbitrary code by leveraging knowledge of encryption_key.
References
CVSS Scores
version 3.1