ThanatosDi/EpubConv_Python

pyinstaller-4.2.tar.gz: 3 vulnerabilities (highest severity is: 7.8)

Closed this issue · 0 comments

mend-bolt-for-github commented
Vulnerable Library - pyinstaller-4.2.tar.gz

PyInstaller bundles a Python application and all its dependencies into a single package.

Library home page: https://files.pythonhosted.org/packages/b4/83/9f6ff034650abe9778c9a4f86bcead63f89a62acf02b1b47fc2bfc6bf8dd/pyinstaller-4.2.tar.gz

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Found in HEAD commit: 8085e1ecdb0f4680ca290e975bd093ed9fce3b55

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (pyinstaller version) Remediation Possible**
CVE-2023-49797 High 7.8 pyinstaller-4.2.tar.gz Direct 5.13.1
CVE-2024-6345 High 7.0 setuptools-68.0.0-py3-none-any.whl Transitive N/A*
CVE-2024-5569 Low 3.3 zipp-3.15.0-py3-none-any.whl Transitive 4.3

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-49797

Vulnerable Library - pyinstaller-4.2.tar.gz

PyInstaller bundles a Python application and all its dependencies into a single package.

Library home page: https://files.pythonhosted.org/packages/b4/83/9f6ff034650abe9778c9a4f86bcead63f89a62acf02b1b47fc2bfc6bf8dd/pyinstaller-4.2.tar.gz

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • pyinstaller-4.2.tar.gz (Vulnerable Library)

Found in HEAD commit: 8085e1ecdb0f4680ca290e975bd093ed9fce3b55

Found in base branch: main

Vulnerability Details

PyInstaller bundles a Python application and all its dependencies into a single package. A PyInstaller built application, elevated as a privileged process, may be tricked by an unprivileged attacker into deleting files the unprivileged user does not otherwise have access to. A user is affected if all the following are satisfied: 1. The user runs an application containing either matplotlib or win32com. 2. The application is ran as administrator (or at least a user with higher privileges than the attacker). 3. The user's temporary directory is not locked to that specific user (most likely due to TMP/TEMP environment variables pointing to an unprotected, arbitrary, non default location). Either: A. The attacker is able to very carefully time the replacement of a temporary file with a symlink. This switch must occur exactly between shutil.rmtree()'s builtin symlink check and the deletion itself B: The application was built with Python 3.7.x or earlier which has no protection against Directory Junctions links. The vulnerability has been addressed in PR #7827 which corresponds to pyinstaller >= 5.13.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Publish Date: 2023-12-09

URL: CVE-2023-49797

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9w2p-rh8c-v9g5

Release Date: 2023-12-09

Fix Resolution: 5.13.1

Step up your Open Source Security Game with Mend here

CVE-2024-6345

Vulnerable Library - setuptools-68.0.0-py3-none-any.whl

Easily download, build, install, upgrade, and uninstall Python packages

Library home page: https://files.pythonhosted.org/packages/c7/42/be1c7bbdd83e1bfb160c94b9cafd8e25efc7400346cf7ccdbdb452c467fa/setuptools-68.0.0-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • pyinstaller-4.2.tar.gz (Root Library)
    • setuptools-68.0.0-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 8085e1ecdb0f4680ca290e975bd093ed9fce3b55

Found in base branch: main

Vulnerability Details

A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.

Publish Date: 2024-07-15

URL: CVE-2024-6345

CVSS 3 Score Details (7.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-6345

Release Date: 2024-07-15

Fix Resolution: setuptools - 70.0.0

Step up your Open Source Security Game with Mend here

CVE-2024-5569

Vulnerable Library - zipp-3.15.0-py3-none-any.whl

Backport of pathlib-compatible object wrapper for zip files

Library home page: https://files.pythonhosted.org/packages/5b/fa/c9e82bbe1af6266adf08afb563905eb87cab83fde00a0a08963510621047/zipp-3.15.0-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • pyinstaller-4.2.tar.gz (Root Library)
    • importlib_metadata-6.7.0-py3-none-any.whl
      • zipp-3.15.0-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 8085e1ecdb0f4680ca290e975bd093ed9fce3b55

Found in base branch: main

Vulnerability Details

A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the Path module in both zipp and zipfile, such as joinpath, the overloaded division operator, and iterdir. Although the infinite loop is not resource exhaustive, it prevents the application from responding. The vulnerability was addressed in version 3.19.1 of jaraco/zipp.

Publish Date: 2024-07-09

URL: CVE-2024-5569

CVSS 3 Score Details (3.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.com/bounties/be898306-11f9-46b4-b28c-f4c4aa4ffbae

Release Date: 2024-07-09

Fix Resolution (zipp): 3.19.1

Direct dependency fix Resolution (pyinstaller): 4.3

Step up your Open Source Security Game with Mend here