# N/A
## 漏洞概述
js2py组件中的js2py.disable_pyimport()函数存在安全问题,攻击者可以通过精心构造的API调用来执行任意代码。
## 影响版本
影响版本为js2py v0.74及之前版本。
## 漏洞细节
在js2py.disable_pyimport()函数中存在一个漏洞,该漏洞允许攻击者通过特定的API调用执行任意代码。
## 漏洞影响
攻击者可能利用此漏洞执行任意代码,这可能导致严重的安全问题,包括数据泄露、系统受损等。
是否为 Web 类漏洞: 是
判断理由:
| # | POC 描述 | 源链接 | 神龙链接 |
|---|---|---|---|
| 1 | to be released | https://github.com/Marven11/CVE-2024-28397 | POC详情 |
| 2 | CVE-2024-28397: js2py sandbox escape, bypass pyimport restriction. | https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape | POC详情 |
| 3 | None | https://github.com/CYBER-WARRIOR-SEC/CVE-2024-28397-js2py-Sandbox-Escape | POC详情 |
| 4 | An issue in the component js2py.disable_pyimport() of js2py up to v0.74 allows attackers to execute arbitrary code via a crafted API call. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-28397.yaml | POC详情 |
| 5 | This vulnerability arises from incomplete sandboxing in js2py, where crafted JavaScript can traverse Python’s internal object model and access dangerous classes like subprocess.Popen, leading to arbitrary command execution. | https://github.com/waleed-hassan569/CVE-2024-28397-command-execution-poc | POC详情 |
| 6 | The CVE-2024-28397 vulnerability affects versions of js2py up to v0.74, a Python library that allows JavaScript code to be executed within the Python interpreter. | https://github.com/0timeday/exploit-js2py | POC详情 |
| 7 | None | https://github.com/harutomo-jp/CVE-2024-28397-RCE | POC详情 |
| 8 | None | https://github.com/Naved124/CVE-2024-28397-js2py-Sandbox-Escape | POC详情 |
| 9 | The CVE-2024-28397 vulnerability affects versions of js2py up to v0.74, a Python library that allows JavaScript code to be executed within the Python interpreter. | https://github.com/releaseown/exploit-js2py | POC详情 |
| 10 | PoC exploit for CVE-2024-28397 – Remote Code Execution in pyload-ng via js2py sandbox escape | https://github.com/ExtremeUday/Remote-Code-Execution-CVE-2024-28397-pyload-ng-js2py- | POC详情 |
| 11 | This repository contains a python exploit code for CVE-2024-28397 intended for use on the "CodePartTwo" machine on Hack The Box (HTB). | https://github.com/naclapor/CVE-2024-28397 | POC详情 |
| 12 | None | https://github.com/0xDTC/js2py-Sandbox-Escape-CVE-2024-28397-RCE | POC详情 |
| 13 | This repository contains a Proof of Concept (PoC) for CVE-2024-28397, a vulnerability in the js2py library allowing a sandbox escape to achieve remote code execution. | https://github.com/nelissandro/CVE-2024-28397-Js2Py-RCE | POC详情 |
| 14 | CVE-2024-28397 - Remote Code Execution From Vulnerable JS2PY | https://github.com/vitaciminIPI/CVE-2024-28397-RCE | POC详情 |
| 15 | This vulnerability arises from incomplete sandboxing in js2py, where crafted JavaScript can traverse Python’s internal object model and access dangerous classes like subprocess.Popen, leading to arbitrary command execution. | https://github.com/Ghost-Overflow/CVE-2024-28397-command-execution-poc | POC详情 |
| 16 | Reverse shell for CVE-2024-28397. | https://github.com/0xPadme/CVE-2024-28397-Reverse-Shell | POC详情 |
| 17 | This repository contains a Proof of Concept (PoC) for CVE-2024-28397, a vulnerability in the js2py library allowing a sandbox escape to achieve remote code execution. | https://github.com/D3ltaFormation/CVE-2024-28397-Js2Py-RCE | POC详情 |
| 18 | A Python automation script for exploiting the **js2py Sandbox Escape** vulnerability (CVE-2024-28397). This tool automates the payload generation and delivery process to achieve Remote Code Execution (RCE) on vulnerable instances. | https://github.com/L1337Xi/CVE-2024-28397-Exploit-Automation | POC详情 |
| 19 | This vulnerability arises from incomplete sandboxing in js2py, where crafted JavaScript can traverse Python’s internal object model and access dangerous classes like subprocess.Popen, leading to arbitrary command execution. | https://github.com/GhostOverflow/CVE-2024-28397-command-execution-poc | POC详情 |
| 20 | js2py <= 0.74 sandbox escape (CVE-2024-28397) | https://github.com/3z-p0wn/CVE-2024-28397-exploit | POC详情 |
暂无评论