CVE-2018-1000070 — HIGH (8.8)

Vulnerability Description

Bitmessage PyBitmessage version v0.6.2 (and introduced in or after commit 8ce72d8d2d25973b7064b1cf76a6b0b3d62f0ba0) contains a Eval injection vulnerability in main program, file src/messagetypes/__init__.py function constructObject that can result in Code Execution. This attack appears to be exploitable via remote attacker using a malformed message which must be processed by the victim - e.g. arrive from any sender on bitmessage network. This vulnerability appears to have been fixed in v0.6.3.

CVSS Score

8.8

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Bitmessage	Pybitmessage	0.6.2

Related Weaknesses (CWE)

CWE-94

References

https://github.com/Bitmessage/PyBitmessage/commit/3a8016d31f517775d226aa8b902480PatchThird Party Advisory
https://github.com/Bitmessage/PyBitmessage/commit/3a8016d31f517775d226aa8b902480PatchThird Party Advisory

FAQ

What is CVE-2018-1000070?

CVE-2018-1000070 is a vulnerability with a CVSS score of 8.8 (HIGH). Bitmessage PyBitmessage version v0.6.2 (and introduced in or after commit 8ce72d8d2d25973b7064b1cf76a6b0b3d62f0ba0) contains a Eval injection vulnerability in main program, file src/messagetypes/__ini...

How severe is CVE-2018-1000070?

CVE-2018-1000070 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-1000070?

Check the references section above for vendor advisories and patch information. Affected products include: Bitmessage Pybitmessage.