GHSA-VG99-GR89-QHW9
Vulnerability from github – Published: 2026-07-13 18:37 – Updated: 2026-07-13 18:37Summary
The second stage pilot (pilot.tar) is downloaded by the initial wrapper script without any verification of the webservers' SSL certificate and the contained script is subsequently executed. The checksum is tested, but the reference checksum file is downloaded over the same unvalidated channel.
Details
The pilot wrapper downloads and executes the main second stage pilot script, but the SSL validation on this connection is explicitly disabled (to match old python < 2.7.9 behaviour): https://github.com/DIRACGrid/DIRAC/blob/integration/src/DIRAC/WorkloadManagementSystem/Utilities/PilotWrapper.py#L292-L296
This means that the second stage pilot code is not verified in any way and could potentially be altered by a man-in-the-middle attack to execute arbitrary code in the pilot context (i.e. with access to the pilot proxy/credentials).
The HTTPS connection should be validated against both the system certificates and $X509_CERT_DIR and fail if neither validate correctly.
Impact
This would require a man-in-the-middle style attack against a grid site's network (i.e. changing the DNS or routing to redirect the pilot's connection); this is likely to be difficult which probably limits the potential impact.
Patched versions:
https://pypi.org/project/DIRAC/8.0.79/ https://pypi.org/project/DIRAC/9.0.22/ https://pypi.org/project/DIRAC/9.1.10/
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "DIRAC"
},
"ranges": [
{
"events": [
{
"introduced": "6.20.1"
},
{
"fixed": "8.0.79"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "DIRAC"
},
"ranges": [
{
"events": [
{
"introduced": "8.1.0a1"
},
{
"fixed": "9.0.22"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "DIRAC"
},
"ranges": [
{
"events": [
{
"introduced": "9.1.0"
},
{
"fixed": "9.1.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-61668"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-13T18:37:51Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nThe second stage pilot (pilot.tar) is downloaded by the initial wrapper script without any verification of the webservers\u0027 SSL certificate and the contained script is subsequently executed. The checksum is tested, but the reference checksum file is downloaded over the same unvalidated channel.\n\n### Details\nThe pilot wrapper downloads and executes the main second stage pilot script, but the SSL validation on this connection is explicitly disabled (to match old python \u003c 2.7.9 behaviour):\nhttps://github.com/DIRACGrid/DIRAC/blob/integration/src/DIRAC/WorkloadManagementSystem/Utilities/PilotWrapper.py#L292-L296\n\nThis means that the second stage pilot code is not verified in any way and could potentially be altered by a man-in-the-middle attack to execute arbitrary code in the pilot context (i.e. with access to the pilot proxy/credentials).\n\nThe HTTPS connection should be validated against both the system certificates and $X509_CERT_DIR and fail if neither validate correctly.\n\n### Impact\nThis would require a man-in-the-middle style attack against a grid site\u0027s network (i.e. changing the DNS or routing to redirect the pilot\u0027s connection); this is likely to be difficult which probably limits the potential impact.\n\n### Patched versions:\nhttps://pypi.org/project/DIRAC/8.0.79/\nhttps://pypi.org/project/DIRAC/9.0.22/\nhttps://pypi.org/project/DIRAC/9.1.10/",
"id": "GHSA-vg99-gr89-qhw9",
"modified": "2026-07-13T18:37:51Z",
"published": "2026-07-13T18:37:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/DIRACGrid/DIRAC/security/advisories/GHSA-vg99-gr89-qhw9"
},
{
"type": "PACKAGE",
"url": "https://github.com/DIRACGrid/DIRAC"
},
{
"type": "WEB",
"url": "https://pypi.org/project/DIRAC/8.0.79"
},
{
"type": "WEB",
"url": "https://pypi.org/project/DIRAC/9.0.22"
},
{
"type": "WEB",
"url": "https://pypi.org/project/DIRAC/9.1.10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "DIRAC: Pilot code downloaded over unverified HTTPS connection"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.