Date: Thu, 14 May 2020 15:14:51 -0300 From: Matheus Bratfisch <matheusbrat@...il.com> To: oss-security@...ts.openwall.com Subject: Python Beaker - Deserialization of Untrasted Data which can lead to Arbitrary code execution Hello all, python beaker is affected by Deserialization of untrusted data (CWE-502) which could lead to Arbitrary code execution. I believe it was initially pointed out the flaw on Session here: https://github.com/bbangert/beaker/issues/35 Some improvements were made by adding a secret/HMAC but the Cache layer still has the same flaw. I reported the flaw on cache level here: https://github.com/bbangert/beaker/issues/191 I created a POC but didn't publish it on the ticket. There is no CVE assigned to this. This package exists on Fedora and Debian at least. Should I take any extra action? Best regards, -- Matheus (X-warrior) Bratfisch. http://matbra.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.