CVE-2023-26145 (GCVE-0-2023-26145)
Vulnerability from cvelistv5
Published
2023-09-28 05:00
Modified
2024-09-23 19:02
Severity ?
7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P
CWE
Summary
This affects versions of the package pydash before 6.0.0. A number of pydash methods such as pydash.objects.invoke() and pydash.collections.invoke_map() accept dotted paths (Deep Path Strings) to target a nested Python object, relative to the original source object. These paths can be used to target internal class attributes and dict items, to retrieve, modify or invoke nested Python objects. **Note:** The pydash.objects.invoke() method is vulnerable to Command Injection when the following prerequisites are satisfied: 1) The source object (argument 1) is not a built-in object such as list/dict (otherwise, the __init__.__globals__ path is not accessible) 2) The attacker has control over argument 2 (the path string) and argument 3 (the argument to pass to the invoked method) The pydash.collections.invoke_map() method is also vulnerable, but is harder to exploit as the attacker does not have direct control over the argument to be passed to the invoked function.
References
Impacted products
Vendor Product Version
n/a pydash Version: 0   
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T11:39:06.569Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.snyk.io/vuln/SNYK-PYTHON-PYDASH-5916518"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://gist.github.com/CalumHutton/45d33e9ea55bf4953b3b31c84703dfca"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/dgilland/pydash/commit/6ff0831ad285fff937cafd2a853f20cc9ae92021"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-26145",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-23T19:02:43.525044Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-23T19:02:59.017Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "pydash",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "6.0.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Calum Hutton"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "This affects versions of the package pydash before 6.0.0. A number of pydash methods such as pydash.objects.invoke() and pydash.collections.invoke_map() accept dotted paths (Deep Path Strings) to target a nested Python object, relative to the original source object. These paths can be used to target internal class attributes and dict items, to retrieve, modify or invoke nested Python objects.\r\r**Note:**\r\rThe pydash.objects.invoke() method is vulnerable to Command Injection when the following prerequisites are satisfied:\r\r1) The source object (argument 1) is not a built-in object such as list/dict (otherwise, the __init__.__globals__ path is not accessible)\r\r2) The attacker has control over argument 2 (the path string) and argument 3 (the argument to pass to the invoked method)\r\r\rThe pydash.collections.invoke_map() method is also vulnerable, but is harder to exploit as the attacker does not have direct control over the argument to be passed to the invoked function."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "Command Injection",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-09-28T05:00:01.328Z",
        "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "shortName": "snyk"
      },
      "references": [
        {
          "url": "https://security.snyk.io/vuln/SNYK-PYTHON-PYDASH-5916518"
        },
        {
          "url": "https://gist.github.com/CalumHutton/45d33e9ea55bf4953b3b31c84703dfca"
        },
        {
          "url": "https://github.com/dgilland/pydash/commit/6ff0831ad285fff937cafd2a853f20cc9ae92021"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
    "assignerShortName": "snyk",
    "cveId": "CVE-2023-26145",
    "datePublished": "2023-09-28T05:00:01.328Z",
    "dateReserved": "2023-02-20T10:28:48.928Z",
    "dateUpdated": "2024-09-23T19:02:59.017Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-26145\",\"sourceIdentifier\":\"report@snyk.io\",\"published\":\"2023-09-28T05:15:45.843\",\"lastModified\":\"2024-11-21T07:50:52.307\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"This affects versions of the package pydash before 6.0.0. A number of pydash methods such as pydash.objects.invoke() and pydash.collections.invoke_map() accept dotted paths (Deep Path Strings) to target a nested Python object, relative to the original source object. These paths can be used to target internal class attributes and dict items, to retrieve, modify or invoke nested Python objects.\\r\\r**Note:**\\r\\rThe pydash.objects.invoke() method is vulnerable to Command Injection when the following prerequisites are satisfied:\\r\\r1) The source object (argument 1) is not a built-in object such as list/dict (otherwise, the __init__.__globals__ path is not accessible)\\r\\r2) The attacker has control over argument 2 (the path string) and argument 3 (the argument to pass to the invoked method)\\r\\r\\rThe pydash.collections.invoke_map() method is also vulnerable, but is harder to exploit as the attacker does not have direct control over the argument to be passed to the invoked function.\"},{\"lang\":\"es\",\"value\":\"Esto afecta a las versiones del paquete pydash anteriores a la 6.0.0. Varios m\u00e9todos de pydash, como pydash.objects.invoke() y pydash.collections.invoke_map(), aceptan rutas de puntos (Deep Path Strings) para apuntar a un objeto Python anidado, en relaci\u00f3n con el objeto fuente original. Estas rutas se pueden utilizar para apuntar a atributos internos de clase y elementos de dictado, para recuperar, modificar o invocar objetos Python anidados. **Nota:** El m\u00e9todo pydash.objects.invoke() es vulnerable a la inyecci\u00f3n de comandos cuando se cumplen los siguientes requisitos previos: \\n1) El objeto fuente (argumento 1) no es un objeto integrado como list/dict (de lo contrario, the __init__.__globals__ path no es accesible) \\n2) El atacante tiene control sobre el argumento 2 (la cadena de ruta)\\n3) El argumento (el argumento para pasar al m\u00e9todo invocado) \\nEl m\u00e9todo pydash.collections.invoke_map() tambi\u00e9n es vulnerable, pero es m\u00e1s dif\u00edcil de explotar ya que el atacante no tiene control directo sobre el argumento que se pasar\u00e1 a la funci\u00f3n invocada.\\n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"report@snyk.io\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":7.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"report@snyk.io\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-77\"},{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:derrickgilland:pydash:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"6.0.0\",\"matchCriteriaId\":\"78227353-EE51-4D4E-8B42-A4ADE5B179BF\"}]}]}],\"references\":[{\"url\":\"https://gist.github.com/CalumHutton/45d33e9ea55bf4953b3b31c84703dfca\",\"source\":\"report@snyk.io\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/dgilland/pydash/commit/6ff0831ad285fff937cafd2a853f20cc9ae92021\",\"source\":\"report@snyk.io\",\"tags\":[\"Patch\"]},{\"url\":\"https://security.snyk.io/vuln/SNYK-PYTHON-PYDASH-5916518\",\"source\":\"report@snyk.io\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://gist.github.com/CalumHutton/45d33e9ea55bf4953b3b31c84703dfca\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/dgilland/pydash/commit/6ff0831ad285fff937cafd2a853f20cc9ae92021\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://security.snyk.io/vuln/SNYK-PYTHON-PYDASH-5916518\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://security.snyk.io/vuln/SNYK-PYTHON-PYDASH-5916518\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://gist.github.com/CalumHutton/45d33e9ea55bf4953b3b31c84703dfca\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/dgilland/pydash/commit/6ff0831ad285fff937cafd2a853f20cc9ae92021\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T11:39:06.569Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-26145\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-23T19:02:43.525044Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-23T19:02:54.375Z\"}}], \"cna\": {\"credits\": [{\"lang\": \"en\", \"value\": \"Calum Hutton\"}], \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"n/a\", \"product\": \"pydash\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"6.0.0\", \"versionType\": \"semver\"}]}], \"references\": [{\"url\": \"https://security.snyk.io/vuln/SNYK-PYTHON-PYDASH-5916518\"}, {\"url\": \"https://gist.github.com/CalumHutton/45d33e9ea55bf4953b3b31c84703dfca\"}, {\"url\": \"https://github.com/dgilland/pydash/commit/6ff0831ad285fff937cafd2a853f20cc9ae92021\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"This affects versions of the package pydash before 6.0.0. A number of pydash methods such as pydash.objects.invoke() and pydash.collections.invoke_map() accept dotted paths (Deep Path Strings) to target a nested Python object, relative to the original source object. These paths can be used to target internal class attributes and dict items, to retrieve, modify or invoke nested Python objects.\\r\\r**Note:**\\r\\rThe pydash.objects.invoke() method is vulnerable to Command Injection when the following prerequisites are satisfied:\\r\\r1) The source object (argument 1) is not a built-in object such as list/dict (otherwise, the __init__.__globals__ path is not accessible)\\r\\r2) The attacker has control over argument 2 (the path string) and argument 3 (the argument to pass to the invoked method)\\r\\r\\rThe pydash.collections.invoke_map() method is also vulnerable, but is harder to exploit as the attacker does not have direct control over the argument to be passed to the invoked function.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"cweId\": \"CWE-78\", \"description\": \"Command Injection\"}]}], \"providerMetadata\": {\"orgId\": \"bae035ff-b466-4ff4-94d0-fc9efd9e1730\", \"shortName\": \"snyk\", \"dateUpdated\": \"2023-09-28T05:00:01.328Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-26145\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-23T19:02:59.017Z\", \"dateReserved\": \"2023-02-20T10:28:48.928Z\", \"assignerOrgId\": \"bae035ff-b466-4ff4-94d0-fc9efd9e1730\", \"datePublished\": \"2023-09-28T05:00:01.328Z\", \"assignerShortName\": \"snyk\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.