CVE-2023-34457 - OpenCVE

MechanicalSoup is a Python library for automating interaction with websites. Starting in version 0.2.0 and prior to version 1.3.0, a malicious web server can read arbitrary files on the client using a `<input type="file" ...>` inside HTML form. All users of MechanicalSoup's form submission are affected, unless they took very specific (and manual) steps to reset HTML form field values. Version 1.3.0 contains a patch for this issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Mechanicalsoup Project	Mechanicalsoup

Configuration 1 [-]

cpe:2.3:a:mechanicalsoup_project:mechanicalsoup:*:*:*:*:*:python:*:*

No data.

References

Link	Providers
https://github.com/MechanicalSoup/MechanicalSoup/commit/d57c4a269bba3b9a0c5bfa20292955b849006d9e
https://github.com/MechanicalSoup/MechanicalSoup/releases/tag/v1.3.0
https://github.com/MechanicalSoup/MechanicalSoup/security/advisories/GHSA-x456-3ccm-m6j4
https://security.netapp.com/advisory/ntap-20230803-0005/

History

Thu, 24 Oct 2024 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-07-05T19:25:35.966Z

Updated: 2024-10-24T18:18:50.540Z

Reserved: 2023-06-06T16:16:53.559Z

Link: CVE-2023-34457

Vulnrichment

Updated: 2024-08-02T16:10:06.995Z

NVD

Status : Modified

Published: 2023-07-05T20:15:10.343

Modified: 2023-08-03T15:15:24.573

Link: CVE-2023-34457

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-34457", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-06-06T16:16:53.559Z", "datePublished": "2023-07-05T19:25:35.966Z", "dateUpdated": "2024-10-24T18:18:50.540Z"}, "containers": {"cna": {"title": "MechanicalSoup vulnerable to malicious web server reading arbitrary files on client using file input inside HTML form", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/MechanicalSoup/MechanicalSoup/security/advisories/GHSA-x456-3ccm-m6j4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/MechanicalSoup/MechanicalSoup/security/advisories/GHSA-x456-3ccm-m6j4"}, {"name": "https://github.com/MechanicalSoup/MechanicalSoup/commit/d57c4a269bba3b9a0c5bfa20292955b849006d9e", "tags": ["x_refsource_MISC"], "url": "https://github.com/MechanicalSoup/MechanicalSoup/commit/d57c4a269bba3b9a0c5bfa20292955b849006d9e"}, {"name": "https://github.com/MechanicalSoup/MechanicalSoup/releases/tag/v1.3.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/MechanicalSoup/MechanicalSoup/releases/tag/v1.3.0"}, {"url": "https://security.netapp.com/advisory/ntap-20230803-0005/"}], "affected": [{"vendor": "MechanicalSoup", "product": "MechanicalSoup", "versions": [{"version": ">= 0.2.0, < 1.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-07-05T19:25:35.966Z"}, "descriptions": [{"lang": "en", "value": "MechanicalSoup is a Python library for automating interaction with websites. Starting in version 0.2.0 and prior to version 1.3.0, a malicious web server can read arbitrary files on the client using a `<input type=\"file\" ...>` inside HTML form. All users of MechanicalSoup's form submission are affected, unless they took very specific (and manual) steps to reset HTML form field values. Version 1.3.0 contains a patch for this issue."}], "source": {"advisory": "GHSA-x456-3ccm-m6j4", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:10:06.995Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/MechanicalSoup/MechanicalSoup/security/advisories/GHSA-x456-3ccm-m6j4", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/MechanicalSoup/MechanicalSoup/security/advisories/GHSA-x456-3ccm-m6j4"}, {"name": "https://github.com/MechanicalSoup/MechanicalSoup/commit/d57c4a269bba3b9a0c5bfa20292955b849006d9e", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/MechanicalSoup/MechanicalSoup/commit/d57c4a269bba3b9a0c5bfa20292955b849006d9e"}, {"name": "https://github.com/MechanicalSoup/MechanicalSoup/releases/tag/v1.3.0", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/MechanicalSoup/MechanicalSoup/releases/tag/v1.3.0"}, {"url": "https://security.netapp.com/advisory/ntap-20230803-0005/", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "mechanicalsoup_project", "product": "mechanicalsoup", "cpes": ["cpe:2.3:a:mechanicalsoup_project:mechanicalsoup:*:*:*:*:*:python:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0.2.0", "status": "affected", "lessThan": "1.3.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-24T17:59:35.918865Z", "id": "CVE-2023-34457", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-24T18:18:50.540Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/MechanicalSoup/MechanicalSoup/security/advisories/GHSA-x456-3ccm-m6j4", "name": "https://github.com/MechanicalSoup/MechanicalSoup/security/advisories/GHSA-x456-3ccm-m6j4", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/MechanicalSoup/MechanicalSoup/commit/d57c4a269bba3b9a0c5bfa20292955b849006d9e", "name": "https://github.com/MechanicalSoup/MechanicalSoup/commit/d57c4a269bba3b9a0c5bfa20292955b849006d9e", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/MechanicalSoup/MechanicalSoup/releases/tag/v1.3.0", "name": "https://github.com/MechanicalSoup/MechanicalSoup/releases/tag/v1.3.0", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230803-0005/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:10:06.995Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-34457", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-24T17:59:35.918865Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:mechanicalsoup_project:mechanicalsoup:*:*:*:*:*:python:*:*"], "vendor": "mechanicalsoup_project", "product": "mechanicalsoup", "versions": [{"status": "affected", "version": "0.2.0", "lessThan": "1.3.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-24T18:18:41.756Z"}}], "cna": {"title": "MechanicalSoup vulnerable to malicious web server reading arbitrary files on client using file input inside HTML form", "source": {"advisory": "GHSA-x456-3ccm-m6j4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "MechanicalSoup", "product": "MechanicalSoup", "versions": [{"status": "affected", "version": ">= 0.2.0, < 1.3.0"}]}], "references": [{"url": "https://github.com/MechanicalSoup/MechanicalSoup/security/advisories/GHSA-x456-3ccm-m6j4", "name": "https://github.com/MechanicalSoup/MechanicalSoup/security/advisories/GHSA-x456-3ccm-m6j4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/MechanicalSoup/MechanicalSoup/commit/d57c4a269bba3b9a0c5bfa20292955b849006d9e", "name": "https://github.com/MechanicalSoup/MechanicalSoup/commit/d57c4a269bba3b9a0c5bfa20292955b849006d9e", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/MechanicalSoup/MechanicalSoup/releases/tag/v1.3.0", "name": "https://github.com/MechanicalSoup/MechanicalSoup/releases/tag/v1.3.0", "tags": ["x_refsource_MISC"]}, {"url": "https://security.netapp.com/advisory/ntap-20230803-0005/"}], "descriptions": [{"lang": "en", "value": "MechanicalSoup is a Python library for automating interaction with websites. Starting in version 0.2.0 and prior to version 1.3.0, a malicious web server can read arbitrary files on the client using a `<input type=\"file\" ...>` inside HTML form. All users of MechanicalSoup's form submission are affected, unless they took very specific (and manual) steps to reset HTML form field values. Version 1.3.0 contains a patch for this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-07-05T19:25:35.966Z"}}}, "cveMetadata": {"cveId": "CVE-2023-34457", "state": "PUBLISHED", "dateUpdated": "2024-10-24T18:18:50.540Z", "dateReserved": "2023-06-06T16:16:53.559Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-07-05T19:25:35.966Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mechanicalsoup_project:mechanicalsoup:*:*:*:*:*:python:*:*", "matchCriteriaId": "1F95051A-887C-4851-9127-7088A48E823D", "versionEndExcluding": "1.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MechanicalSoup is a Python library for automating interaction with websites. Starting in version 0.2.0 and prior to version 1.3.0, a malicious web server can read arbitrary files on the client using a `<input type=\"file\" ...>` inside HTML form. All users of MechanicalSoup's form submission are affected, unless they took very specific (and manual) steps to reset HTML form field values. Version 1.3.0 contains a patch for this issue."}], "id": "CVE-2023-34457", "lastModified": "2023-08-03T15:15:24.573", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-07-05T20:15:10.343", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/MechanicalSoup/MechanicalSoup/commit/d57c4a269bba3b9a0c5bfa20292955b849006d9e"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/MechanicalSoup/MechanicalSoup/releases/tag/v1.3.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/MechanicalSoup/MechanicalSoup/security/advisories/GHSA-x456-3ccm-m6j4"}, {"source": "security-advisories@github.com", "url": "https://security.netapp.com/advisory/ntap-20230803-0005/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Secondary"}]}