Vulnerability Description
RestrictedPython is a restricted execution environment for Python to run untrusted code. A user can gain access to protected (and potentially sensible) information indirectly via AttributeError.obj and the string module. The problem will be fixed in version 7.3. As a workaround, If the application does not require access to the module string, it can remove it from RestrictedPython.Utilities.utility_builtins or otherwise do not make it available in the restricted execution environment.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zope | Restrictedpython | < 7.3 |
Related Weaknesses (CWE)
References
- https://github.com/zopefoundation/RestrictedPython/commit/d701cc36cccac36b21fa20Patch
- https://github.com/zopefoundation/RestrictedPython/security/advisories/GHSA-5rfvExploitMitigationVendor Advisory
FAQ
What is CVE-2024-47532?
CVE-2024-47532 is a vulnerability with a CVSS score of 6.5 (MEDIUM). RestrictedPython is a restricted execution environment for Python to run untrusted code. A user can gain access to protected (and potentially sensible) information indirectly via AttributeError.obj an...
How severe is CVE-2024-47532?
CVE-2024-47532 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-47532?
Check the references section above for vendor advisories and patch information. Affected products include: Zope Restrictedpython.