CVE-2024-47532: RestrictedPython information leakage via `AttributeError.obj` and the `string` module
First published: Mon Sep 30 2024(Updated: )
### Impact A user can gain access to protected (and potentially sensible) information indirectly via `AttributeError.obj` and the `string` module. ### Patches The problem will be fixed in version 7.3. ### Workarounds If the application does not require access to the module `string`, it can remove it from `RestrictedPython.Utilities.utility_builtins` or otherwise do not make it available in the restricted execution environment.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/RestrictedPython | <7.3 | 7.3 |
| Zope Restrictedpython | <7.3 |
Remedy
https://github.com/zopefoundation/RestrictedPython/commit/d701cc36cccac36b21fa200f1f2d1945a9a215e6
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- agent/weakness
- agent/title
- agent/type
- agent/first-publish-date
- agent/description
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-5rfv-66g4-jr8h
- alias/CVE-2024-47532
- agent/software-canonical-lookup
- agent/references
- agent/author
- collector/mitre-cve
- source/MITRE
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- collector/nvd-api
- agent/remedy
- agent/last-modified-date
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/trending
- package-manager/pip
- vendor/zope
- canonical/zope restrictedpython