Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
(SimpleEval) Objects (including modules) can leak dangerous modules through to direct access inside the sandbox.
Vulnerability Description
SimpleEval is a library for adding evaluatable expressions into python projects. Prior to 1.0.5, objects (including modules) can leak dangerous modules through to direct access inside the sandbox. If the objects you've passed in as names to SimpleEval have modules or other disallowed / dangerous objects available as attrs. Additionally, dangerous functions or modules could be accessed by passing them as callbacks to other safe functions to call. The latest version 1.0.5 has this issue fixed. This vulnerability is fixed in 1.0.5.
CVSS Information
N/A
Vulnerability Type
CWE-915
Vulnerability Title
simpleeval 安全漏洞
Vulnerability Description
simpleeval是Daniel个人开发者的一个Python表达式安全求值库。 SimpleEval 1.0.5之前版本存在安全漏洞,该漏洞源于对象可能通过属性直接访问沙箱内的危险模块,如果作为名称传递给SimpleEval的对象具有模块或其他不允许的危险对象作为属性可用,或者通过将危险函数或模块作为回调传递给其他安全函数来调用,可能导致访问危险函数或模块。
CVSS Information
N/A
Vulnerability Type
N/A