Main Vulnerability Database Vulnerabilities #VU85113

Code Injection in pydash - CVE-2023-26145

Published: January 9, 2024

Vulnerability identifier: #VU85113

CSH Severity: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2023-26145

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
pydash

Software vendor:
dgilland (Derrick Gilland)

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to pydash.objects.invoke() and pydash.collections.invoke_map() accept dotted paths (Deep Path Strings) to target a nested Python object, relative to the original source object. A remote attacker can use these paths to target internal class attributes and dict items, to retrieve, modify or invoke nested Python objects.

Remediation

Install updates from vendor's website.

External links

https://github.com/dgilland/pydash/commit/6ff0831ad285fff937cafd2a853f20cc9ae92021
https://gist.github.com/CalumHutton/45d33e9ea55bf4953b3b31c84703dfca
https://security.snyk.io/vuln/SNYK-PYTHON-PYDASH-5916518

Code Injection in pydash - CVE-2023-26145

Description

Remediation

External links

Please verify you're human