CVE-2023-0297

Name of the Vulnerable Software and Affected Versions pyload/pyload versions prior to 0.5.0b3.dev31

Description The issue concerns a code injection vulnerability in the pyload/pyload GitHub repository. It allows for pre-authentication remote code execution (RCE) due to the integration of JavaScript in Python using the js2py library. Specifically, the eval js() function is vulnerable, as it executes JavaScript code passed through the jk parameter. This allows attackers to inject arbitrary commands. An example of exploitation is through a POST request to the /amogus/test endpoint with malicious jk parameter content, such as jk=pyimport os;os.system("touch /tmp/pwnd");f=function f2(){};. The estimated number of potentially affected devices worldwide is not specified. There is no information provided about real-world incidents where this issue was exploited.

Recommendations For versions prior to 0.5.0b3.dev31, update to version 0.5.0b3.dev31 or later to resolve the issue. As a temporary workaround, consider restricting access to the eval js() function and the /amogus/test endpoint until a patch is applied. Avoid using the jk parameter in the affected API endpoint until the issue is resolved.