CVE - CVE-2023-26145

CVE-ID
CVE-2023-26145	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
This affects versions of the package pydash before 6.0.0. A number of pydash methods such as pydash.objects.invoke() and pydash.collections.invoke_map() accept dotted paths (Deep Path Strings) to target a nested Python object, relative to the original source object. These paths can be used to target internal class attributes and dict items, to retrieve, modify or invoke nested Python objects. Note: The pydash.objects.invoke() method is vulnerable to Command Injection when the following prerequisites are satisfied: 1) The source object (argument 1) is not a built-in object such as list/dict (otherwise, the __init__.__globals__ path is not accessible) 2) The attacker has control over argument 2 (the path string) and argument 3 (the argument to pass to the invoked method) The pydash.collections.invoke_map() method is also vulnerable, but is harder to exploit as the attacker does not have direct control over the argument to be passed to the invoked function.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:https://gist.github.com/CalumHutton/45d33e9ea55bf4953b3b31c84703dfca URL:https://gist.github.com/CalumHutton/45d33e9ea55bf4953b3b31c84703dfca MISC:https://github.com/dgilland/pydash/commit/6ff0831ad285fff937cafd2a853f20cc9ae92021 URL:https://github.com/dgilland/pydash/commit/6ff0831ad285fff937cafd2a853f20cc9ae92021 MISC:https://security.snyk.io/vuln/SNYK-PYTHON-PYDASH-5916518 URL:https://security.snyk.io/vuln/SNYK-PYTHON-PYDASH-5916518
Assigning CNA
Snyk
Date Record Created
20230220	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20230220)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)