Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 14 May 2020 15:14:51 -0300
From: Matheus Bratfisch <matheusbrat@...il.com>
To: oss-security@...ts.openwall.com
Subject: Python Beaker - Deserialization of Untrasted Data which can lead to
 Arbitrary code execution

Hello all,

python beaker is affected by Deserialization of untrusted data (CWE-502)
which could lead to Arbitrary code execution.

I believe it was initially pointed out the flaw on Session here:
https://github.com/bbangert/beaker/issues/35

Some improvements were made by adding a secret/HMAC but the Cache layer
still has the same flaw. I reported the flaw on cache level here:
https://github.com/bbangert/beaker/issues/191
I created a POC but didn't publish it on the ticket.

There is no CVE assigned to this.

This package exists on Fedora and Debian at least.

Should I take any extra action?

Best regards,
--
Matheus (X-warrior) Bratfisch.
http://matbra.com

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.