CVE-2023-26145

This affects versions of the package pydash before 6.0.0. A number of pydash methods such as pydash.objects.invoke() and pydash.collections.invoke_map() accept dotted paths (Deep Path Strings) to target a nested Python object, relative to the original source object. These paths can be used to target internal class attributes and dict items, to retrieve, modify or invoke nested Python objects. **Note:** The pydash.objects.invoke() method is vulnerable to Command Injection when the following prerequisites are satisfied: 1) The source object (argument 1) is not a built-in object such as list/dict (otherwise, the __init__.__globals__ path is not accessible) 2) The attacker has control over argument 2 (the path string) and argument 3 (the argument to pass to the invoked method) The pydash.collections.invoke_map() method is also vulnerable, but is harder to exploit as the attacker does not have direct control over the argument to be passed to the invoked function.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://gist.github.com/CalumHutton/45d33e9ea55bf4953b3b31c84703dfca	Exploit Third Party Advisory
https://github.com/dgilland/pydash/commit/6ff0831ad285fff937cafd2a853f20cc9ae92021	Patch
https://security.snyk.io/vuln/SNYK-PYTHON-PYDASH-5916518	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:derrickgilland:pydash:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-09-28 05:15

Updated : 2023-11-07 04:09

NVD link : CVE-2023-26145

Mitre link : CVE-2023-26145

CVE.ORG link : CVE-2023-26145

JSON object : View

Products Affected

derrickgilland

pydash

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2023-26145", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}, {"type": "Secondary", "source": "report@snyk.io", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.2}]}, "published": "2023-09-28T05:15:45.843", "references": [{"url": "https://gist.github.com/CalumHutton/45d33e9ea55bf4953b3b31c84703dfca", "tags": ["Exploit", "Third Party Advisory"], "source": "report@snyk.io"}, {"url": "https://github.com/dgilland/pydash/commit/6ff0831ad285fff937cafd2a853f20cc9ae92021", "tags": ["Patch"], "source": "report@snyk.io"}, {"url": "https://security.snyk.io/vuln/SNYK-PYTHON-PYDASH-5916518", "tags": ["Third Party Advisory"], "source": "report@snyk.io"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-77"}, {"lang": "en", "value": "CWE-94"}]}, {"type": "Secondary", "source": "report@snyk.io", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "This affects versions of the package pydash before 6.0.0. A number of pydash methods such as pydash.objects.invoke() and pydash.collections.invoke_map() accept dotted paths (Deep Path Strings) to target a nested Python object, relative to the original source object. These paths can be used to target internal class attributes and dict items, to retrieve, modify or invoke nested Python objects.\r\r**Note:**\r\rThe pydash.objects.invoke() method is vulnerable to Command Injection when the following prerequisites are satisfied:\r\r1) The source object (argument 1) is not a built-in object such as list/dict (otherwise, the __init__.__globals__ path is not accessible)\r\r2) The attacker has control over argument 2 (the path string) and argument 3 (the argument to pass to the invoked method)\r\r\rThe pydash.collections.invoke_map() method is also vulnerable, but is harder to exploit as the attacker does not have direct control over the argument to be passed to the invoked function."}, {"lang": "es", "value": "Esto afecta a las versiones del paquete pydash anteriores a la 6.0.0. Varios m\u00e9todos de pydash, como pydash.objects.invoke() y pydash.collections.invoke_map(), aceptan rutas de puntos (Deep Path Strings) para apuntar a un objeto Python anidado, en relaci\u00f3n con el objeto fuente original. Estas rutas se pueden utilizar para apuntar a atributos internos de clase y elementos de dictado, para recuperar, modificar o invocar objetos Python anidados. **Nota:** El m\u00e9todo pydash.objects.invoke() es vulnerable a la inyecci\u00f3n de comandos cuando se cumplen los siguientes requisitos previos: \n1) El objeto fuente (argumento 1) no es un objeto integrado como list/dict (de lo contrario, the __init__.__globals__ path no es accesible) \n2) El atacante tiene control sobre el argumento 2 (la cadena de ruta)\n3) El argumento (el argumento para pasar al m\u00e9todo invocado) \nEl m\u00e9todo pydash.collections.invoke_map() tambi\u00e9n es vulnerable, pero es m\u00e1s dif\u00edcil de explotar ya que el atacante no tiene control directo sobre el argumento que se pasar\u00e1 a la funci\u00f3n invocada.\n"}], "lastModified": "2023-11-07T04:09:28.020", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:derrickgilland:pydash:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "78227353-EE51-4D4E-8B42-A4ADE5B179BF", "versionEndExcluding": "6.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "report@snyk.io"}