CVE-2023-26145 (GCVE-0-2023-26145)

Vulnerability from cvelistv5 – Published: 2023-09-28 05:00 – Updated: 2024-09-23 19:02
VLAI
Summary
This affects versions of the package pydash before 6.0.0. A number of pydash methods such as pydash.objects.invoke() and pydash.collections.invoke_map() accept dotted paths (Deep Path Strings) to target a nested Python object, relative to the original source object. These paths can be used to target internal class attributes and dict items, to retrieve, modify or invoke nested Python objects. **Note:** The pydash.objects.invoke() method is vulnerable to Command Injection when the following prerequisites are satisfied: 1) The source object (argument 1) is not a built-in object such as list/dict (otherwise, the __init__.__globals__ path is not accessible) 2) The attacker has control over argument 2 (the path string) and argument 3 (the argument to pass to the invoked method) The pydash.collections.invoke_map() method is also vulnerable, but is harder to exploit as the attacker does not have direct control over the argument to be passed to the invoked function.
Severity
7.4 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
n/a pydash Affected: 0 , < 6.0.0 (semver)
Credits
Calum Hutton
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T11:39:06.569Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.snyk.io/vuln/SNYK-PYTHON-PYDASH-5916518"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://gist.github.com/CalumHutton/45d33e9ea55bf4953b3b31c84703dfca"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/dgilland/pydash/commit/6ff0831ad285fff937cafd2a853f20cc9ae92021"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-26145",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-23T19:02:43.525044Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-23T19:02:59.017Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "pydash",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "6.0.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Calum Hutton"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "This affects versions of the package pydash before 6.0.0. A number of pydash methods such as pydash.objects.invoke() and pydash.collections.invoke_map() accept dotted paths (Deep Path Strings) to target a nested Python object, relative to the original source object. These paths can be used to target internal class attributes and dict items, to retrieve, modify or invoke nested Python objects.\r\r**Note:**\r\rThe pydash.objects.invoke() method is vulnerable to Command Injection when the following prerequisites are satisfied:\r\r1) The source object (argument 1) is not a built-in object such as list/dict (otherwise, the __init__.__globals__ path is not accessible)\r\r2) The attacker has control over argument 2 (the path string) and argument 3 (the argument to pass to the invoked method)\r\r\rThe pydash.collections.invoke_map() method is also vulnerable, but is harder to exploit as the attacker does not have direct control over the argument to be passed to the invoked function."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "Command Injection",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-09-28T05:00:01.328Z",
        "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "shortName": "snyk"
      },
      "references": [
        {
          "url": "https://security.snyk.io/vuln/SNYK-PYTHON-PYDASH-5916518"
        },
        {
          "url": "https://gist.github.com/CalumHutton/45d33e9ea55bf4953b3b31c84703dfca"
        },
        {
          "url": "https://github.com/dgilland/pydash/commit/6ff0831ad285fff937cafd2a853f20cc9ae92021"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
    "assignerShortName": "snyk",
    "cveId": "CVE-2023-26145",
    "datePublished": "2023-09-28T05:00:01.328Z",
    "dateReserved": "2023-02-20T10:28:48.928Z",
    "dateUpdated": "2024-09-23T19:02:59.017Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2023-26145",
      "date": "2026-06-03",
      "epss": "0.01771",
      "percentile": "0.82992"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:derrickgilland:pydash:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"6.0.0\", \"matchCriteriaId\": \"78227353-EE51-4D4E-8B42-A4ADE5B179BF\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"This affects versions of the package pydash before 6.0.0. A number of pydash methods such as pydash.objects.invoke() and pydash.collections.invoke_map() accept dotted paths (Deep Path Strings) to target a nested Python object, relative to the original source object. These paths can be used to target internal class attributes and dict items, to retrieve, modify or invoke nested Python objects.\\r\\r**Note:**\\r\\rThe pydash.objects.invoke() method is vulnerable to Command Injection when the following prerequisites are satisfied:\\r\\r1) The source object (argument 1) is not a built-in object such as list/dict (otherwise, the __init__.__globals__ path is not accessible)\\r\\r2) The attacker has control over argument 2 (the path string) and argument 3 (the argument to pass to the invoked method)\\r\\r\\rThe pydash.collections.invoke_map() method is also vulnerable, but is harder to exploit as the attacker does not have direct control over the argument to be passed to the invoked function.\"}, {\"lang\": \"es\", \"value\": \"Esto afecta a las versiones del paquete pydash anteriores a la 6.0.0. Varios m\\u00e9todos de pydash, como pydash.objects.invoke() y pydash.collections.invoke_map(), aceptan rutas de puntos (Deep Path Strings) para apuntar a un objeto Python anidado, en relaci\\u00f3n con el objeto fuente original. Estas rutas se pueden utilizar para apuntar a atributos internos de clase y elementos de dictado, para recuperar, modificar o invocar objetos Python anidados. **Nota:** El m\\u00e9todo pydash.objects.invoke() es vulnerable a la inyecci\\u00f3n de comandos cuando se cumplen los siguientes requisitos previos: \\n1) El objeto fuente (argumento 1) no es un objeto integrado como list/dict (de lo contrario, the __init__.__globals__ path no es accesible) \\n2) El atacante tiene control sobre el argumento 2 (la cadena de ruta)\\n3) El argumento (el argumento para pasar al m\\u00e9todo invocado) \\nEl m\\u00e9todo pydash.collections.invoke_map() tambi\\u00e9n es vulnerable, pero es m\\u00e1s dif\\u00edcil de explotar ya que el atacante no tiene control directo sobre el argumento que se pasar\\u00e1 a la funci\\u00f3n invocada.\\n\"}]",
      "id": "CVE-2023-26145",
      "lastModified": "2024-11-21T07:50:52.307",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"report@snyk.io\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"baseScore\": 7.4, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 5.2}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 5.9}]}",
      "published": "2023-09-28T05:15:45.843",
      "references": "[{\"url\": \"https://gist.github.com/CalumHutton/45d33e9ea55bf4953b3b31c84703dfca\", \"source\": \"report@snyk.io\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/dgilland/pydash/commit/6ff0831ad285fff937cafd2a853f20cc9ae92021\", \"source\": \"report@snyk.io\", \"tags\": [\"Patch\"]}, {\"url\": \"https://security.snyk.io/vuln/SNYK-PYTHON-PYDASH-5916518\", \"source\": \"report@snyk.io\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://gist.github.com/CalumHutton/45d33e9ea55bf4953b3b31c84703dfca\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/dgilland/pydash/commit/6ff0831ad285fff937cafd2a853f20cc9ae92021\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://security.snyk.io/vuln/SNYK-PYTHON-PYDASH-5916518\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "report@snyk.io",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"report@snyk.io\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-78\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-77\"}, {\"lang\": \"en\", \"value\": \"CWE-94\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-26145\",\"sourceIdentifier\":\"report@snyk.io\",\"published\":\"2023-09-28T05:15:45.843\",\"lastModified\":\"2024-11-21T07:50:52.307\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"This affects versions of the package pydash before 6.0.0. A number of pydash methods such as pydash.objects.invoke() and pydash.collections.invoke_map() accept dotted paths (Deep Path Strings) to target a nested Python object, relative to the original source object. These paths can be used to target internal class attributes and dict items, to retrieve, modify or invoke nested Python objects.\\r\\r**Note:**\\r\\rThe pydash.objects.invoke() method is vulnerable to Command Injection when the following prerequisites are satisfied:\\r\\r1) The source object (argument 1) is not a built-in object such as list/dict (otherwise, the __init__.__globals__ path is not accessible)\\r\\r2) The attacker has control over argument 2 (the path string) and argument 3 (the argument to pass to the invoked method)\\r\\r\\rThe pydash.collections.invoke_map() method is also vulnerable, but is harder to exploit as the attacker does not have direct control over the argument to be passed to the invoked function.\"},{\"lang\":\"es\",\"value\":\"Esto afecta a las versiones del paquete pydash anteriores a la 6.0.0. Varios m\u00e9todos de pydash, como pydash.objects.invoke() y pydash.collections.invoke_map(), aceptan rutas de puntos (Deep Path Strings) para apuntar a un objeto Python anidado, en relaci\u00f3n con el objeto fuente original. Estas rutas se pueden utilizar para apuntar a atributos internos de clase y elementos de dictado, para recuperar, modificar o invocar objetos Python anidados. **Nota:** El m\u00e9todo pydash.objects.invoke() es vulnerable a la inyecci\u00f3n de comandos cuando se cumplen los siguientes requisitos previos: \\n1) El objeto fuente (argumento 1) no es un objeto integrado como list/dict (de lo contrario, the __init__.__globals__ path no es accesible) \\n2) El atacante tiene control sobre el argumento 2 (la cadena de ruta)\\n3) El argumento (el argumento para pasar al m\u00e9todo invocado) \\nEl m\u00e9todo pydash.collections.invoke_map() tambi\u00e9n es vulnerable, pero es m\u00e1s dif\u00edcil de explotar ya que el atacante no tiene control directo sobre el argumento que se pasar\u00e1 a la funci\u00f3n invocada.\\n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"report@snyk.io\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":7.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"report@snyk.io\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-77\"},{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:derrickgilland:pydash:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"6.0.0\",\"matchCriteriaId\":\"78227353-EE51-4D4E-8B42-A4ADE5B179BF\"}]}]}],\"references\":[{\"url\":\"https://gist.github.com/CalumHutton/45d33e9ea55bf4953b3b31c84703dfca\",\"source\":\"report@snyk.io\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/dgilland/pydash/commit/6ff0831ad285fff937cafd2a853f20cc9ae92021\",\"source\":\"report@snyk.io\",\"tags\":[\"Patch\"]},{\"url\":\"https://security.snyk.io/vuln/SNYK-PYTHON-PYDASH-5916518\",\"source\":\"report@snyk.io\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://gist.github.com/CalumHutton/45d33e9ea55bf4953b3b31c84703dfca\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/dgilland/pydash/commit/6ff0831ad285fff937cafd2a853f20cc9ae92021\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://security.snyk.io/vuln/SNYK-PYTHON-PYDASH-5916518\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://security.snyk.io/vuln/SNYK-PYTHON-PYDASH-5916518\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://gist.github.com/CalumHutton/45d33e9ea55bf4953b3b31c84703dfca\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/dgilland/pydash/commit/6ff0831ad285fff937cafd2a853f20cc9ae92021\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T11:39:06.569Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-26145\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-23T19:02:43.525044Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-23T19:02:54.375Z\"}}], \"cna\": {\"credits\": [{\"lang\": \"en\", \"value\": \"Calum Hutton\"}], \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"n/a\", \"product\": \"pydash\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"6.0.0\", \"versionType\": \"semver\"}]}], \"references\": [{\"url\": \"https://security.snyk.io/vuln/SNYK-PYTHON-PYDASH-5916518\"}, {\"url\": \"https://gist.github.com/CalumHutton/45d33e9ea55bf4953b3b31c84703dfca\"}, {\"url\": \"https://github.com/dgilland/pydash/commit/6ff0831ad285fff937cafd2a853f20cc9ae92021\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"This affects versions of the package pydash before 6.0.0. A number of pydash methods such as pydash.objects.invoke() and pydash.collections.invoke_map() accept dotted paths (Deep Path Strings) to target a nested Python object, relative to the original source object. These paths can be used to target internal class attributes and dict items, to retrieve, modify or invoke nested Python objects.\\r\\r**Note:**\\r\\rThe pydash.objects.invoke() method is vulnerable to Command Injection when the following prerequisites are satisfied:\\r\\r1) The source object (argument 1) is not a built-in object such as list/dict (otherwise, the __init__.__globals__ path is not accessible)\\r\\r2) The attacker has control over argument 2 (the path string) and argument 3 (the argument to pass to the invoked method)\\r\\r\\rThe pydash.collections.invoke_map() method is also vulnerable, but is harder to exploit as the attacker does not have direct control over the argument to be passed to the invoked function.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"cweId\": \"CWE-78\", \"description\": \"Command Injection\"}]}], \"providerMetadata\": {\"orgId\": \"bae035ff-b466-4ff4-94d0-fc9efd9e1730\", \"shortName\": \"snyk\", \"dateUpdated\": \"2023-09-28T05:00:01.328Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-26145\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-23T19:02:59.017Z\", \"dateReserved\": \"2023-02-20T10:28:48.928Z\", \"assignerOrgId\": \"bae035ff-b466-4ff4-94d0-fc9efd9e1730\", \"datePublished\": \"2023-09-28T05:00:01.328Z\", \"assignerShortName\": \"snyk\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.