pysec - pysec-2019-153

pysec-2019-153

Vulnerability from pysec

Published

2019-01-10 21:29

Modified

2021-07-05 00:01

Details

modulemd 1.3.1 and earlier uses an unsafe function for processing externally provided data, leading to remote code execution.

Impacted products

Name	purl
modulemd	pkg:pypi/modulemd

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "modulemd",
        "purl": "pkg:pypi/modulemd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1",
        "1.0.0",
        "1.0.1",
        "1.0.2",
        "1.1.0",
        "1.2.0",
        "1.3.0",
        "1.3.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2017-1002157",
    "GHSA-jhjh-ghwx-6h7r"
  ],
  "details": "modulemd 1.3.1 and earlier uses an unsafe function for processing externally provided data, leading to remote code execution.",
  "id": "PYSEC-2019-153",
  "modified": "2021-07-05T00:01:22.789825Z",
  "published": "2019-01-10T21:29:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://pagure.io/modulemd/issue/55"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-jhjh-ghwx-6h7r"
    }
  ]
}

ghsa-jhjh-ghwx-6h7r

Vulnerability from github

Published

2019-01-17 13:56

Modified

2024-09-24 20:48

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

modulemd uses an unsafe function for processing externally provided data

Details

modulemd 1.3.1 and earlier uses an unsafe function for processing externally provided data, leading to remote code execution.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "modulemd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-1002157"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-242"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:43:31Z",
    "nvd_published_at": "2019-01-10T21:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "modulemd 1.3.1 and earlier uses an unsafe function for processing externally provided data, leading to remote code execution.",
  "id": "GHSA-jhjh-ghwx-6h7r",
  "modified": "2024-09-24T20:48:00Z",
  "published": "2019-01-17T13:56:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1002157"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/modulemd/PYSEC-2019-153.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xsuchy/modulemd"
    },
    {
      "type": "WEB",
      "url": "https://pagure.io/modulemd/issue/55"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "modulemd uses an unsafe function for processing externally provided data"
}

CVE-2017-1002157 (GCVE-0-2017-1002157)

Vulnerability from cvelistv5

Published

2019-01-10 21:00

Modified

2024-09-16 16:47

Severity ?

CWE

CWE-242

Summary

modulemd 1.3.1 and earlier uses an unsafe function for processing externally provided data, leading to remote code execution.

References

►

URL

Tags

https://pagure.io/modulemd/issue/55

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Fedora Modularity	modulemd	Version: unspecified <

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T22:08:12.695Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://pagure.io/modulemd/issue/55"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "modulemd",
          "vendor": "Fedora Modularity",
          "versions": [
            {
              "lessThanOrEqual": "1.3.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "dateAssigned": "2017-10-22T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "modulemd 1.3.1 and earlier uses an unsafe function for processing externally provided data, leading to remote code execution."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-242",
              "description": "CWE-242",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-01-10T21:00:00Z",
        "orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
        "shortName": "fedora"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://pagure.io/modulemd/issue/55"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "patrick@puiterwijk.org",
          "DATE_ASSIGNED": "2017-10-22T17:19Z",
          "ID": "CVE-2017-1002157",
          "REQUESTER": "patrick@puiterwijk.org",
          "STATE": "PUBLIC",
          "UPDATED": "2017-10-22T17:19Z"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "modulemd",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "1.3.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Fedora Modularity"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "modulemd 1.3.1 and earlier uses an unsafe function for processing externally provided data, leading to remote code execution."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-242"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://pagure.io/modulemd/issue/55",
              "refsource": "CONFIRM",
              "url": "https://pagure.io/modulemd/issue/55"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
    "assignerShortName": "fedora",
    "cveId": "CVE-2017-1002157",
    "datePublished": "2019-01-10T21:00:00Z",
    "dateReserved": "2019-01-10T00:00:00Z",
    "dateUpdated": "2024-09-16T16:47:59.756Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

pysec-2019-153

Vulnerability from pysec

ghsa-jhjh-ghwx-6h7r

Vulnerability from github

CVE-2017-1002157 (GCVE-0-2017-1002157)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature