CVE-2023-26145 - OpenCVE

This affects versions of the package pydash before 6.0.0. A number of pydash methods such as pydash.objects.invoke() and pydash.collections.invoke_map() accept dotted paths (Deep Path Strings) to target a nested Python object, relative to the original source object. These paths can be used to target internal class attributes and dict items, to retrieve, modify or invoke nested Python objects. **Note:** The pydash.objects.invoke() method is vulnerable to Command Injection when the following prerequisites are satisfied: 1) The source object (argument 1) is not a built-in object such as list/dict (otherwise, the __init__.__globals__ path is not accessible) 2) The attacker has control over argument 2 (the path string) and argument 3 (the argument to pass to the invoked method) The pydash.collections.invoke_map() method is also vulnerable, but is harder to exploit as the attacker does not have direct control over the argument to be passed to the invoked function.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact total

Vendors	Products
Derrickgilland	Pydash

Configuration 1 [-]

cpe:2.3:a:derrickgilland:pydash:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://gist.github.com/CalumHutton/45d33e9ea55bf4953b3b31c84703dfca
https://github.com/dgilland/pydash/commit/6ff0831ad285fff937cafd2a853f20cc9ae92021
https://security.snyk.io/vuln/SNYK-PYTHON-PYDASH-5916518

History

Mon, 23 Sep 2024 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2023-09-28T05:00:01.328Z

Updated: 2024-09-23T19:02:59.017Z

Reserved: 2023-02-20T10:28:48.928Z

Link: CVE-2023-26145

Vulnrichment

Updated: 2024-08-02T11:39:06.569Z

NVD

Status : Modified

Published: 2023-09-28T05:15:45.843

Modified: 2023-11-07T04:09:28.020

Link: CVE-2023-26145

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-26145", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2023-02-20T10:28:48.928Z", "datePublished": "2023-09-28T05:00:01.328Z", "dateUpdated": "2024-09-23T19:02:59.017Z"}, "containers": {"cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P"}}], "credits": [{"value": "Calum Hutton", "lang": "en"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "Command Injection", "lang": "en"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2023-09-28T05:00:01.328Z"}, "descriptions": [{"value": "This affects versions of the package pydash before 6.0.0. A number of pydash methods such as pydash.objects.invoke() and pydash.collections.invoke_map() accept dotted paths (Deep Path Strings) to target a nested Python object, relative to the original source object. These paths can be used to target internal class attributes and dict items, to retrieve, modify or invoke nested Python objects.\r\r**Note:**\r\rThe pydash.objects.invoke() method is vulnerable to Command Injection when the following prerequisites are satisfied:\r\r1) The source object (argument 1) is not a built-in object such as list/dict (otherwise, the __init__.__globals__ path is not accessible)\r\r2) The attacker has control over argument 2 (the path string) and argument 3 (the argument to pass to the invoked method)\r\r\rThe pydash.collections.invoke_map() method is also vulnerable, but is harder to exploit as the attacker does not have direct control over the argument to be passed to the invoked function.", "lang": "en"}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-PYTHON-PYDASH-5916518"}, {"url": "https://gist.github.com/CalumHutton/45d33e9ea55bf4953b3b31c84703dfca"}, {"url": "https://github.com/dgilland/pydash/commit/6ff0831ad285fff937cafd2a853f20cc9ae92021"}], "affected": [{"product": "pydash", "versions": [{"version": "0", "lessThan": "6.0.0", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:39:06.569Z"}, "title": "CVE Program Container", "references": [{"url": "https://security.snyk.io/vuln/SNYK-PYTHON-PYDASH-5916518", "tags": ["x_transferred"]}, {"url": "https://gist.github.com/CalumHutton/45d33e9ea55bf4953b3b31c84703dfca", "tags": ["x_transferred"]}, {"url": "https://github.com/dgilland/pydash/commit/6ff0831ad285fff937cafd2a853f20cc9ae92021", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-23T19:02:43.525044Z", "id": "CVE-2023-26145", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-23T19:02:59.017Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.snyk.io/vuln/SNYK-PYTHON-PYDASH-5916518", "tags": ["x_transferred"]}, {"url": "https://gist.github.com/CalumHutton/45d33e9ea55bf4953b3b31c84703dfca", "tags": ["x_transferred"]}, {"url": "https://github.com/dgilland/pydash/commit/6ff0831ad285fff937cafd2a853f20cc9ae92021", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:39:06.569Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-26145", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-23T19:02:43.525044Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-23T19:02:54.375Z"}}], "cna": {"credits": [{"lang": "en", "value": "Calum Hutton"}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "n/a", "product": "pydash", "versions": [{"status": "affected", "version": "0", "lessThan": "6.0.0", "versionType": "semver"}]}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-PYTHON-PYDASH-5916518"}, {"url": "https://gist.github.com/CalumHutton/45d33e9ea55bf4953b3b31c84703dfca"}, {"url": "https://github.com/dgilland/pydash/commit/6ff0831ad285fff937cafd2a853f20cc9ae92021"}], "descriptions": [{"lang": "en", "value": "This affects versions of the package pydash before 6.0.0. A number of pydash methods such as pydash.objects.invoke() and pydash.collections.invoke_map() accept dotted paths (Deep Path Strings) to target a nested Python object, relative to the original source object. These paths can be used to target internal class attributes and dict items, to retrieve, modify or invoke nested Python objects.\r\r**Note:**\r\rThe pydash.objects.invoke() method is vulnerable to Command Injection when the following prerequisites are satisfied:\r\r1) The source object (argument 1) is not a built-in object such as list/dict (otherwise, the __init__.__globals__ path is not accessible)\r\r2) The attacker has control over argument 2 (the path string) and argument 3 (the argument to pass to the invoked method)\r\r\rThe pydash.collections.invoke_map() method is also vulnerable, but is harder to exploit as the attacker does not have direct control over the argument to be passed to the invoked function."}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-78", "description": "Command Injection"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2023-09-28T05:00:01.328Z"}}}, "cveMetadata": {"cveId": "CVE-2023-26145", "state": "PUBLISHED", "dateUpdated": "2024-09-23T19:02:59.017Z", "dateReserved": "2023-02-20T10:28:48.928Z", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "datePublished": "2023-09-28T05:00:01.328Z", "assignerShortName": "snyk"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:derrickgilland:pydash:*:*:*:*:*:*:*:*", "matchCriteriaId": "78227353-EE51-4D4E-8B42-A4ADE5B179BF", "versionEndExcluding": "6.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "This affects versions of the package pydash before 6.0.0. A number of pydash methods such as pydash.objects.invoke() and pydash.collections.invoke_map() accept dotted paths (Deep Path Strings) to target a nested Python object, relative to the original source object. These paths can be used to target internal class attributes and dict items, to retrieve, modify or invoke nested Python objects.\r\r**Note:**\r\rThe pydash.objects.invoke() method is vulnerable to Command Injection when the following prerequisites are satisfied:\r\r1) The source object (argument 1) is not a built-in object such as list/dict (otherwise, the __init__.__globals__ path is not accessible)\r\r2) The attacker has control over argument 2 (the path string) and argument 3 (the argument to pass to the invoked method)\r\r\rThe pydash.collections.invoke_map() method is also vulnerable, but is harder to exploit as the attacker does not have direct control over the argument to be passed to the invoked function."}, {"lang": "es", "value": "Esto afecta a las versiones del paquete pydash anteriores a la 6.0.0. Varios m\u00e9todos de pydash, como pydash.objects.invoke() y pydash.collections.invoke_map(), aceptan rutas de puntos (Deep Path Strings) para apuntar a un objeto Python anidado, en relaci\u00f3n con el objeto fuente original. Estas rutas se pueden utilizar para apuntar a atributos internos de clase y elementos de dictado, para recuperar, modificar o invocar objetos Python anidados. **Nota:** El m\u00e9todo pydash.objects.invoke() es vulnerable a la inyecci\u00f3n de comandos cuando se cumplen los siguientes requisitos previos: \n1) El objeto fuente (argumento 1) no es un objeto integrado como list/dict (de lo contrario, the __init__.__globals__ path no es accesible) \n2) El atacante tiene control sobre el argumento 2 (la cadena de ruta)\n3) El argumento (el argumento para pasar al m\u00e9todo invocado) \nEl m\u00e9todo pydash.collections.invoke_map() tambi\u00e9n es vulnerable, pero es m\u00e1s dif\u00edcil de explotar ya que el atacante no tiene control directo sobre el argumento que se pasar\u00e1 a la funci\u00f3n invocada.\n"}], "id": "CVE-2023-26145", "lastModified": "2023-11-07T04:09:28.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2023-09-28T05:15:45.843", "references": [{"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://gist.github.com/CalumHutton/45d33e9ea55bf4953b3b31c84703dfca"}, {"source": "report@snyk.io", "tags": ["Patch"], "url": "https://github.com/dgilland/pydash/commit/6ff0831ad285fff937cafd2a853f20cc9ae92021"}, {"source": "report@snyk.io", "tags": ["Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-PYTHON-PYDASH-5916518"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}, {"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "report@snyk.io", "type": "Secondary"}]}