GHSA-q2rq-qgcf-m22w
Suggest an improvement- Source
- https://github.com/advisories/GHSA-q2rq-qgcf-m22w
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-q2rq-qgcf-m22w/GHSA-q2rq-qgcf-m22w.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-q2rq-qgcf-m22w
- Aliases
- Published
- 2022-05-14T00:57:47Z
- Modified
- 2024-02-18T05:27:03.477548Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- web2py remote code execution via hardcoded encryption key in session.connect function
- Details
-
The sample web application in web2py before 2.14.2 might allow remote attackers to execute arbitrary code via vectors involving use of a hardcoded encryption key when calling the
session.connectfunction. - Database specific
{ "nvd_published_at": "2018-02-06T18:29:00Z", "cwe_ids": [ "CWE-798" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2023-08-03T22:44:35Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2016-3953
- https://github.com/web2py/web2py/issues/1205
- https://github.com/web2py/web2py/commit/9706d125b42481178d2b423de245f5d2faadbf40
- https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957
- https://github.com/web2py/web2py
- https://github.com/web2py/web2py/blob/R-2.14.1/applications/examples/models/session.py
- https://usn.ubuntu.com/4030-1
Affected packages
PyPI / web2py
Package
- Name
- web2py
- View open source insights on deps.dev
- Purl
- pkg:pypi/web2py