PT-2024-32646 · Unknown+3 · Restrictedpython+3

Dronex7070

Published

2024-09-30

Updated

2025-03-18

CVE-2024-47532

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions RestrictedPython versions prior to 7.3

Description A user can gain access to protected information indirectly via AttributeError.obj and the string module. This issue allows unauthorized access to potentially sensitive information.

Recommendations For versions prior to 7.3, as a temporary workaround, consider removing the string module from RestrictedPython.Utilities.utility builtins if the application does not require access to it, or otherwise do not make it available in the restricted execution environment. Update to version 7.3 to fully resolve the issue.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2024-47532

GHSA-5RFV-66G4-JR8H

PYSEC-2024-186

USN-7355-1

Affected Products

Debian

Linuxmint

Restrictedpython

Ubuntu

PT-2024-32646 · Unknown+3 · Restrictedpython+3

CVE-2024-47532

Weakness Enumeration

Related Identifiers

Affected Products

References · 24