GHSA-h5cg-53g7-gqjw
Suggest an improvement- Source
- https://github.com/advisories/GHSA-h5cg-53g7-gqjw
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-h5cg-53g7-gqjw/GHSA-h5cg-53g7-gqjw.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-h5cg-53g7-gqjw
- Aliases
- Published
- 2024-03-06T17:05:30Z
- Modified
- 2024-08-02T15:47:32.967968Z
- Severity
-
- 8.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N CVSS Calculator
- 8.4 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N CVSS Calculator
- Summary
- RPyC's missing security check results in code execution when using numpy.array on the server-side.
- Details
-
An issue in Open Source: RPyC v.4.00 thru v.5.3.1 allows a remote attacker to execute arbitrary code via a crafted script to the
__array__attribute component. This vulnerability was introduced in 9f45f826.Attack Vector
RPyC services that rely on the
__array__attribute used by numpy are impacted. When the server-side exposes a method that calls the attribute named__array__for a a client provided netref (e.g.,np.array(client_netref)), a remote attacker can craft a class which results in remote code executionImpact
Assuming the system exposes a method that calls the attribute
__array__, an attacker can execute code using the vulnerable component.Patches
The fix is available in RPyC 6.0.0. The major version change is because some users may need to set
allow_pickletoTruewhen migrating to RPyC 6.Workarounds
While the recommend fix is to upgrade to RPyC 6.0.0, the workaround is to apply bba1d356 as patch.
Affected Component
The affected component is the
__array__method constructed forNetrefClass.References
- Database specific
{ "nvd_published_at": "2024-03-12T16:15:08Z", "cwe_ids": [ "CWE-306", "CWE-358", "CWE-913" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-03-06T17:05:30Z" }- References
-
- https://github.com/tomerfiliba-org/rpyc/security/advisories/GHSA-h5cg-53g7-gqjw
- https://nvd.nist.gov/vuln/detail/CVE-2024-27758
- https://github.com/tomerfiliba-org/rpyc/commit/9f45f8269d4106905db61d82cd529cacdb178911
- https://github.com/tomerfiliba-org/rpyc/commit/bba1d3562e6f9f1256ec64048cc23001c0bb7516
- https://gist.github.com/renbou/957f70d27470982994f12a1d70153d09
- https://github.com/pypa/advisory-database/tree/main/vulns/rpyc/PYSEC-2024-44.yaml
- https://github.com/tomerfiliba-org/rpyc
- https://github.com/tomerfiliba-org/rpyc/blob/5.3.1/rpyc/core/netref.py#L252-L255
Affected packages
PyPI / rpyc
Package
- Name
- rpyc
- View open source insights on deps.dev
- Purl
- pkg:pypi/rpyc