Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Sandbox escape via various forms of "format" in RestrictedPython
Vulnerability Description
RestrictedPython is a restricted execution environment for Python to run untrusted code. Python's "format" functionality allows someone controlling the format string to "read" all objects accessible through recursive attribute lookup and subscription from objects he can access. This can lead to critical information disclosure. With `RestrictedPython`, the format functionality is available via the `format` and `format_map` methods of `str` (and `unicode`) (accessed either via the class or its instances) and via `string.Formatter`. All known versions of `RestrictedPython` are vulnerable. This issue has been addressed in commit `4134aedcff1` which has been included in the 5.4 and 6.2 releases. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
Vulnerability Type
输出中的特殊元素转义处理不恰当(注入)
Vulnerability Title
RestrictedPython 注入漏洞
Vulnerability Description
RestrictedPython是一个帮助定义 Python 语言子集的工具,该子集允许将程序输入提供到受信任的环境中。 RestrictedPython 存在注入漏洞,该漏洞源于Python 的format函数允许控制格式字符串的人通过递归属性查找和订阅他可以访问的对象来读取所有可访问的对象,这可能会导致关键信息泄露。
CVSS Information
N/A
Vulnerability Type
N/A