GHSA-58h8-44mg-r43x
Suggest an improvement- Source
- https://github.com/advisories/GHSA-58h8-44mg-r43x
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-58h8-44mg-r43x/GHSA-58h8-44mg-r43x.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-58h8-44mg-r43x
- Aliases
-
- CVE-2013-4409
- PYSEC-2019-175
- Published
- 2022-05-05T00:29:00Z
- Modified
- 2024-09-20T17:08:30.443664Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- ReviewBoard and Djblets library are vulnerable to code execution
- Details
-
An eval() vulnerability exists in Python Software Foundation Djblets version before 0.6.30 and 0.7.0 before 0.7.19 and Beanbag Review Board before 1.7.15 when parsing JSON requests allowing an attacker to execute arbitrary Python code.
- Database specific
{ "nvd_published_at": "2019-11-04T21:15:00Z", "cwe_ids": [ "CWE-20" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2023-08-07T19:59:32Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2013-4409
- https://access.redhat.com/security/cve/cve-2013-4409
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4409
- https://exchange.xforce.ibmcloud.com/vulnerabilities/88059
- https://github.com/djblets/djblets
- https://github.com/djblets/djblets/blob/release-0.7.19/NEWS
- https://github.com/pypa/advisory-database/tree/main/vulns/djblets/PYSEC-2019-175.yaml
- https://security-tracker.debian.org/tracker/CVE-2013-4409
- https://web.archive.org/web/20200228151135/https://www.securityfocus.com/bid/63029
- https://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.15
- http://lists.fedoraproject.org/pipermail/package-announce/2013-November/120619.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-October/119819.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-October/119820.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-October/119830.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-October/119831.html
Affected packages
PyPI / djblets
Package
- Name
- djblets
- View open source insights on deps.dev
- Purl
- pkg:pypi/djblets
PyPI / djblets
Package
- Name
- djblets
- View open source insights on deps.dev
- Purl
- pkg:pypi/djblets
PyPI / reviewboard
Package
- Name
- reviewboard
- View open source insights on deps.dev
- Purl
- pkg:pypi/reviewboard
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.7.15
Affected versions
1.*
1.0.dev
1.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.5.1
1.0.6
1.0.8
1.0.9
1.5
1.5.1
1.5.2
1.5.3
1.5.3.1
1.5.4
1.5.5
1.5.6
1.5.7
1.6
1.6.1
1.6.2
1.6.3
1.6.4
1.6.4.1
1.6.5
1.6.6
1.6.7
1.6.7.1
1.6.8
1.6.9
1.6.10
1.6.11
1.6.12
1.6.13
1.6.14
1.6.15
1.6.16
1.6.17
1.6.18
1.6.19
1.6.20
1.6.21
1.6.22
1.7
1.7.0.1
1.7.1
1.7.2
1.7.3
1.7.4
1.7.5
1.7.6
1.7.7
1.7.7.1
1.7.8
1.7.9
1.7.10
1.7.11
1.7.12
1.7.13
1.7.14