Sandbox escape via various forms of "format" in RestrictedPython
CVE-2023-41039

8.3HIGH

Key Information:

Vendor
CVE Published:
30 August 2023

What is CVE-2023-41039?

RestrictedPython, a secure execution environment for Python, is susceptible to an information disclosure vulnerability leveraging the format functionality in Python. Attackers with control over format strings can exploit this to access sensitive objects and data through recursive attribute lookup and subscription. All known versions of RestrictedPython are affected. The issue has been addressed in subsequent releases 5.4 and 6.2, and users are strongly encouraged to upgrade to mitigate this risk. Unfortunately, there are currently no known workarounds for this vulnerability.

Affected Version(s)

RestrictedPython < 5.4 < 5.4

RestrictedPython >= 6.0, < 6.1 < 6.0, 6.1

References

CVSS V3.1

Score:
8.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.