PT-2019-14629 · Rpyc+1 · Rpyc+1

Published

2019-10-03

Updated

2024-07-12

CVE-2019-16328

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions RPyC versions 4.1.x through 4.1.1

Description A remote attacker can dynamically modify object attributes to construct a remote procedure call that executes code for an RPyC service with default configuration settings.

Recommendations For RPyC versions 4.1.x through 4.1.1, consider disabling remote procedure calls until a patch is available. Restrict access to the RPyC service to minimize the risk of exploitation. Avoid using default configuration settings for the RPyC service until the issue is resolved.

Exploit

Fix

Prototype Pollution

Improper Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1321CWE-285

Related Identifiers

CVE-2019-16328

GHSA-9GGP-4JPR-7PPJ

GHSA-PJ4G-4488-WMXM

OPENSUSE-SU-2020:0685-1

OPENSUSE-SU-2020:0763-1

OPENSUSE-SU-2020_0685-1

OPENSUSE-SU-2024:11268-1

OPENSUSE-SU-2024:14162-1

PYSEC-2019-118

Affected Products

Rpyc

Suse

PT-2019-14629 · Rpyc+1 · Rpyc+1

CVE-2019-16328

Weakness Enumeration

Related Identifiers

Affected Products

References · 25