Sandbox escape via various forms of "format" in RestrictedPython
CVE-2023-41039
8.3HIGH
What is CVE-2023-41039?
RestrictedPython, a secure execution environment for Python, is susceptible to an information disclosure vulnerability leveraging the format functionality in Python. Attackers with control over format strings can exploit this to access sensitive objects and data through recursive attribute lookup and subscription. All known versions of RestrictedPython are affected. The issue has been addressed in subsequent releases 5.4 and 6.2, and users are strongly encouraged to upgrade to mitigate this risk. Unfortunately, there are currently no known workarounds for this vulnerability.
Affected Version(s)
RestrictedPython < 5.4 < 5.4
RestrictedPython >= 6.0, < 6.1 < 6.0, 6.1
