SB2023082825 - Multiple vulnerabilities in Pylons Pyramid
Published: August 28, 2023 Updated: September 11, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Path traversal (CVE-ID: CVE-2023-40587)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing null-byte characters. A remote attacker can disclose content of "index.html" file exactly one directory above the location of the static view's file system path.
2) Path traversal (CVE-ID: CVE-2023-41105)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
Remediation
Install update from vendor's website.
References
- https://github.com/Pylons/pyramid/commit/347d7750da6f45c7436dd0c31468885cc9343c85
- https://github.com/python/cpython/issues/106242
- https://github.com/python/cpython/pull/106816
- https://github.com/Pylons/pyramid/security/advisories/GHSA-j8g2-6fc7-q8f8
- https://github.com/python/cpython/pull/107982
- https://github.com/python/cpython/pull/107983
- https://github.com/python/cpython/pull/107981
- https://mail.python.org/archives/list/security-announce@python.org/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD/