CVE-2023-48699 - OpenCVE

fastbots is a library for fast bot and scraper development using selenium and the Page Object Model (POM) design. Prior to version 0.1.5, an attacker could modify the locators.ini locator file with python code that without proper validation it's executed and it could lead to rce. The vulnerability is in the function `def __locator__(self, locator_name: str)` in `page.py`. In order to mitigate this issue, upgrade to fastbots version 0.1.5 or above.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ubertidavide	Fastbots

Configuration 1 [-]

cpe:2.3:a:ubertidavide:fastbots:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/ubertidavide/fastbots/commit/73eb03bd75365e112b39877e26ef52853f5e9f57
https://github.com/ubertidavide/fastbots/pull/3#issue-2003080806
https://github.com/ubertidavide/fastbots/security/advisories/GHSA-vccg-f4gp-45x9

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-11-21T22:25:41.183Z

Updated: 2024-08-02T21:37:53.483Z

Reserved: 2023-11-17T19:43:37.553Z

Link: CVE-2023-48699

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-11-21T23:15:08.103

Modified: 2023-11-30T15:15:03.913

Link: CVE-2023-48699

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-48699", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-11-17T19:43:37.553Z", "datePublished": "2023-11-21T22:25:41.183Z", "dateUpdated": "2024-08-02T21:37:53.483Z"}, "containers": {"cna": {"title": "fastbots Eval Injection vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-95", "lang": "en", "description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ubertidavide/fastbots/security/advisories/GHSA-vccg-f4gp-45x9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ubertidavide/fastbots/security/advisories/GHSA-vccg-f4gp-45x9"}, {"name": "https://github.com/ubertidavide/fastbots/pull/3#issue-2003080806", "tags": ["x_refsource_MISC"], "url": "https://github.com/ubertidavide/fastbots/pull/3#issue-2003080806"}, {"name": "https://github.com/ubertidavide/fastbots/commit/73eb03bd75365e112b39877e26ef52853f5e9f57", "tags": ["x_refsource_MISC"], "url": "https://github.com/ubertidavide/fastbots/commit/73eb03bd75365e112b39877e26ef52853f5e9f57"}], "affected": [{"vendor": "ubertidavide", "product": "fastbots", "versions": [{"version": "< 0.1.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-11-21T22:25:41.183Z"}, "descriptions": [{"lang": "en", "value": "fastbots is a library for fast bot and scraper development using selenium and the Page Object Model (POM) design. Prior to version 0.1.5, an attacker could modify the locators.ini locator file with python code that without proper validation it's executed and it could lead to rce. The vulnerability is in the function `def __locator__(self, locator_name: str)` in `page.py`. In order to mitigate this issue, upgrade to fastbots version 0.1.5 or above."}], "source": {"advisory": "GHSA-vccg-f4gp-45x9", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:37:53.483Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/ubertidavide/fastbots/security/advisories/GHSA-vccg-f4gp-45x9", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/ubertidavide/fastbots/security/advisories/GHSA-vccg-f4gp-45x9"}, {"name": "https://github.com/ubertidavide/fastbots/pull/3#issue-2003080806", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ubertidavide/fastbots/pull/3#issue-2003080806"}, {"name": "https://github.com/ubertidavide/fastbots/commit/73eb03bd75365e112b39877e26ef52853f5e9f57", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ubertidavide/fastbots/commit/73eb03bd75365e112b39877e26ef52853f5e9f57"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ubertidavide:fastbots:*:*:*:*:*:*:*:*", "matchCriteriaId": "F4D23CDD-ACB2-427B-BC2C-1F98D79FE70C", "versionEndExcluding": "0.1.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "fastbots is a library for fast bot and scraper development using selenium and the Page Object Model (POM) design. Prior to version 0.1.5, an attacker could modify the locators.ini locator file with python code that without proper validation it's executed and it could lead to rce. The vulnerability is in the function `def __locator__(self, locator_name: str)` in `page.py`. In order to mitigate this issue, upgrade to fastbots version 0.1.5 or above."}, {"lang": "es", "value": "fastbots es una librer\u00eda para el desarrollo r\u00e1pido de robots y raspadores utilizando selenio y el dise\u00f1o de Page Object Model (POM). Antes de la versi\u00f3n 0.1.5, un atacante pod\u00eda modificar el archivo localizador locators.ini con c\u00f3digo Python que sin la validaci\u00f3n adecuada se ejecutaba y podr\u00eda provocar rce. La vulnerabilidad est\u00e1 en la funci\u00f3n `def __locator__(self, locator_name: str)` en `page.py`. Para mitigar este problema, actualice a la versi\u00f3n 0.1.5 o superior de fastbots."}], "id": "CVE-2023-48699", "lastModified": "2023-11-30T15:15:03.913", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-11-21T23:15:08.103", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/ubertidavide/fastbots/commit/73eb03bd75365e112b39877e26ef52853f5e9f57"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/ubertidavide/fastbots/pull/3#issue-2003080806"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/ubertidavide/fastbots/security/advisories/GHSA-vccg-f4gp-45x9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-95"}], "source": "security-advisories@github.com", "type": "Secondary"}]}