Code Injection in pyload/pyload
CVE-2023-0297

9.8CRITICAL

Key Information:

Vendor
Pyload
Status
Pyload/pyload
Vendor
CVE Published:
14 January 2023

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 93%

Summary

A code injection vulnerability in the Pyload application allows an attacker to execute arbitrary code. This issue affects versions of Pyload before 0.5.0b3.dev31, posing risks of unauthorized access and potential data compromise. Users are encouraged to upgrade to the latest version to mitigate these risks. For details on the fix, refer to the relevant commit on GitHub and consider security best practices to safeguard your applications.

Affected Version(s)

pyload/pyload < 0.5.0b3.dev31

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

Metasploit exploit module for CVE-2023-0297
Created by Rapid7

CVE-2023-0297_Pre-auth_RCE_in_pyLoad
Created by bAuh0lz

CVE-2023-0297
Created by JacobEbben

References

https://huntr.dev/bounties/3fd606f7-83e1-4265-b083-2e1889...
https://github.com/pyload/pyload/commit/7d73ba7919e594d78...
http://packetstormsecurity.com/files/171096/pyLoad-js2py-...

EPSS Score

93% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

CVSS V3.0

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.