RestrictedPython is a restricted execution environment for Python to run untrusted code. Python's "format" functionality allows someone controlling the format string to "read" all objects accessible through recursive attribute lookup and subscription from objects he can access. This can lead to critical information disclosure. With `RestrictedPython`, the format functionality is available via the `format` and `format_map` methods of `str` (and `unicode`) (accessed either via the class or its instances) and via `string.Formatter`. All known versions of `RestrictedPython` are vulnerable. This issue has been addressed in commit `4134aedcff1` which has been included in the 5.4 and 6.2 releases. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Published 2023-08-30 18:15:10
Updated 2023-09-05 15:06:09
Source GitHub, Inc.
View at NVD,   CVE.org
Vulnerability category: Information leak

Products affected by CVE-2023-41039

Exploit prediction scoring system (EPSS) score for CVE-2023-41039

0.07%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 32 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-41039

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
7.7
HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
3.1
4.0
NIST
8.3
HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
1.7
6.0
GitHub, Inc.

CWE ids for CVE-2023-41039

References for CVE-2023-41039

Jump to
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!