FKIE_CVE-2009-0367

Vulnerability from fkie_nvd - Published: 2009-03-05 02:30 - Updated: 2025-04-09 00:30
Severity ?
Summary
The Python AI module in Wesnoth 1.4.x and 1.5 before 1.5.11 allows remote attackers to escape the sandbox and execute arbitrary code by using a whitelisted module that imports an unsafe module, then using a hierarchical module name to access the unsafe module through the whitelisted module.
References
cve@mitre.orghttp://launchpad.net/bugs/335089
cve@mitre.orghttp://launchpad.net/bugs/336396
cve@mitre.orghttp://launchpad.net/bugs/cve/2009-0367
cve@mitre.orghttp://packages.debian.org/changelogs/pool/main/w/wesnoth/wesnoth_1.4.7-4/changelog
cve@mitre.orghttp://packages.debian.org/changelogs/pool/main/w/wesnoth/wesnoth_1.5.12-1/changelog
cve@mitre.orghttp://secunia.com/advisories/34058Vendor Advisory
cve@mitre.orghttp://secunia.com/advisories/34236
cve@mitre.orghttp://www.debian.org/security/2009/dsa-1737
cve@mitre.orghttp://www.vupen.com/english/advisories/2009/0595Patch, Vendor Advisory
cve@mitre.orghttp://www.wesnoth.org/forum/viewtopic.php?t=24247Patch, Vendor Advisory
cve@mitre.orghttp://www.wesnoth.org/forum/viewtopic.php?t=24340Patch, Vendor Advisory
cve@mitre.orghttps://exchange.xforce.ibmcloud.com/vulnerabilities/49058
cve@mitre.orghttps://gna.org/bugs/index.php?13048
af854a3a-2127-422b-91ae-364da2661108http://launchpad.net/bugs/335089
af854a3a-2127-422b-91ae-364da2661108http://launchpad.net/bugs/336396
af854a3a-2127-422b-91ae-364da2661108http://launchpad.net/bugs/cve/2009-0367
af854a3a-2127-422b-91ae-364da2661108http://packages.debian.org/changelogs/pool/main/w/wesnoth/wesnoth_1.4.7-4/changelog
af854a3a-2127-422b-91ae-364da2661108http://packages.debian.org/changelogs/pool/main/w/wesnoth/wesnoth_1.5.12-1/changelog
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/34058Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/34236
af854a3a-2127-422b-91ae-364da2661108http://www.debian.org/security/2009/dsa-1737
af854a3a-2127-422b-91ae-364da2661108http://www.vupen.com/english/advisories/2009/0595Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.wesnoth.org/forum/viewtopic.php?t=24247Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.wesnoth.org/forum/viewtopic.php?t=24340Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://exchange.xforce.ibmcloud.com/vulnerabilities/49058
af854a3a-2127-422b-91ae-364da2661108https://gna.org/bugs/index.php?13048
Impacted products
Vendor Product Version
wesnoth wesnoth 1.4
wesnoth wesnoth 1.4.1
wesnoth wesnoth 1.4.2
wesnoth wesnoth 1.4.3
wesnoth wesnoth 1.4.4
wesnoth wesnoth 1.4.5
wesnoth wesnoth 1.4.6
wesnoth wesnoth 1.4.7
wesnoth wesnoth 1.5.0
wesnoth wesnoth 1.5.1
wesnoth wesnoth 1.5.2
wesnoth wesnoth 1.5.3
wesnoth wesnoth 1.5.4
wesnoth wesnoth 1.5.5
wesnoth wesnoth 1.5.6
wesnoth wesnoth 1.5.7
wesnoth wesnoth 1.5.8
wesnoth wesnoth 1.5.9
wesnoth wesnoth 1.5.10
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:wesnoth:wesnoth:1.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "DB71E24E-1A08-491F-8379-FE41AF012E90",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:wesnoth:wesnoth:1.4.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "F0B57803-62E1-4F50-92DD-6796C6D60758",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:wesnoth:wesnoth:1.4.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "C5D83E56-BE05-4DF7-88AD-BC0AD5098415",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:wesnoth:wesnoth:1.4.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "621115C3-5AF6-4709-BB0B-A0FE481C5C79",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:wesnoth:wesnoth:1.4.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "EE1549F8-FE6A-49E5-BC19-585C4957E061",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:wesnoth:wesnoth:1.4.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "3FD5F86E-F65D-4114-9057-A81B360BE143",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:wesnoth:wesnoth:1.4.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "256B2C75-47E5-4A8F-9672-B56D17086764",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:wesnoth:wesnoth:1.4.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "ECD02FB1-72CD-42A3-8E7C-910490467A0A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:wesnoth:wesnoth:1.5.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "15627E66-D852-4F68-9C9A-3EAF5B805BC5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:wesnoth:wesnoth:1.5.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "415FE737-8F89-463D-9F1D-EF5EDACFCD6F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:wesnoth:wesnoth:1.5.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "1941BB00-8039-4DD8-815A-1AE0CA986C70",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:wesnoth:wesnoth:1.5.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "5D091DF5-3229-43E0-BEC4-754992B8DD5C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:wesnoth:wesnoth:1.5.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "77F8C56F-1F74-4F40-85D8-DA861DE4DB5C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:wesnoth:wesnoth:1.5.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "E1E58D08-F602-4BE6-978D-34B58E9188B7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:wesnoth:wesnoth:1.5.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "51001322-B437-4A1C-83BA-C8E3C3BCE7CF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:wesnoth:wesnoth:1.5.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "A991E343-0C44-4F37-80EE-5C0E45EDA909",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:wesnoth:wesnoth:1.5.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "3C4223A3-6F43-4774-8579-59868FB5074B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:wesnoth:wesnoth:1.5.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "CA5792D1-F342-41F2-B056-D8BA99F5C80E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:wesnoth:wesnoth:1.5.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "8EDB1AAF-2513-4511-9E28-E0E9ACF74C19",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Python AI module in Wesnoth 1.4.x and 1.5 before 1.5.11 allows remote attackers to escape the sandbox and execute arbitrary code by using a whitelisted module that imports an unsafe module, then using a hierarchical module name to access the unsafe module through the whitelisted module."
    },
    {
      "lang": "es",
      "value": "El m\u00f3dulo Python AI de Wesnoth v1.4.x y v1.5 anterior a v1.5.11, permite a atacantes remotos escapar del sandbox -caj\u00f3n de arena- y ejecutar c\u00f3digo de su elecci\u00f3n utilizando un m\u00f3dulo de lista blanca que importa un m\u00f3dulo no seguro, despu\u00e9s la usar el nombre de un m\u00f3dulo jer\u00e1rquico para acceder a un m\u00f3dulo no seguro a trav\u00e9s del m\u00f3dulo de lista blanca."
    }
  ],
  "id": "CVE-2009-0367",
  "lastModified": "2025-04-09T00:30:58.490",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 9.3,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 10.0,
        "obtainAllPrivilege": true,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ]
  },
  "published": "2009-03-05T02:30:00.327",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://launchpad.net/bugs/335089"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://launchpad.net/bugs/336396"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://launchpad.net/bugs/cve/2009-0367"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://packages.debian.org/changelogs/pool/main/w/wesnoth/wesnoth_1.4.7-4/changelog"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://packages.debian.org/changelogs/pool/main/w/wesnoth/wesnoth_1.5.12-1/changelog"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/34058"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://secunia.com/advisories/34236"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.debian.org/security/2009/dsa-1737"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://www.vupen.com/english/advisories/2009/0595"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://www.wesnoth.org/forum/viewtopic.php?t=24247"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://www.wesnoth.org/forum/viewtopic.php?t=24340"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/49058"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://gna.org/bugs/index.php?13048"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://launchpad.net/bugs/335089"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://launchpad.net/bugs/336396"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://launchpad.net/bugs/cve/2009-0367"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://packages.debian.org/changelogs/pool/main/w/wesnoth/wesnoth_1.4.7-4/changelog"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://packages.debian.org/changelogs/pool/main/w/wesnoth/wesnoth_1.5.12-1/changelog"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/34058"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/34236"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.debian.org/security/2009/dsa-1737"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://www.vupen.com/english/advisories/2009/0595"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://www.wesnoth.org/forum/viewtopic.php?t=24247"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://www.wesnoth.org/forum/viewtopic.php?t=24340"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/49058"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://gna.org/bugs/index.php?13048"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-264"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.