GHSA-4f92-w438-f484

Suggest an improvement
Source
https://github.com/advisories/GHSA-4f92-w438-f484
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-4f92-w438-f484/GHSA-4f92-w438-f484.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-4f92-w438-f484
Aliases
  • CVE-2024-3955
Published
2024-05-02T12:30:40Z
Modified
2024-07-05T20:28:55.996036Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
CraftBeerPi 4 allows arbitrary code execution
Details

URL GET parameter "logtime" utilized within the "downloadlog" function from "cbpi/httpendpoints/httpsystem.py" is subsequently passed to the "os.system" function in "cbpi/controller/system_controller.py" without prior validation allowing arbitrary code execution. This issue affects CraftBeerPi 4: from 4.0.0.58 (commit 563fae9) before 4.4.1.a1 (commit 57572c7).

Database specific
{
    "nvd_published_at": "2024-05-02T10:15:08Z",
    "cwe_ids": [
        "CWE-94"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-05T20:04:18Z"
}
References

Affected packages

PyPI / cbpi4

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0.58
Fixed
4.4.1.a1

Affected versions

4.*

4.0.5a13
4.0.5a14
4.0.5a15
4.0.5a16
4.0.5
4.0.6
4.0.7rc1
4.0.7rc3
4.0.7
4.1.0a2
4.1.0a3
4.1.0rc1
4.1.0rc2
4.1.0rc5
4.1.0rc8
4.1.0
4.1.2
4.1.6
4.1.7rc1
4.1.7
4.1.10rc2
4.1.10
4.1.11
4.2.0a6
4.2.0rc1
4.2.0
4.3.0
4.3.1
4.3.2
4.4.0