pysec - pysec-2022-199

PYSEC-2022-199

Vulnerability from pysec - Published: 2022-05-24 17:55 - Updated: 2022-05-24 17:55

Details

The ctx hosted project on PyPI was taken over via user account compromise and replaced with a malicious project which contained runtime code which collected the content of os.environ.items() when instantiating Ctx objects.

Impacted products

Name	purl
ctx	pkg:pypi/ctx

Aliases

GSD-2022-1002521

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ctx",
        "purl": "pkg:pypi/ctx"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1.2-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1.2-1",
        "0.1.2-2",
        "0.1.4",
        "0.2",
        "0.2.1",
        "0.2.2",
        "0.2.2.1",
        "0.2.3",
        "0.2.4",
        "0.2.5",
        "0.2.6"
      ]
    }
  ],
  "aliases": [
    "GSD-2022-1002521"
  ],
  "details": "The ctx hosted project on PyPI was taken over via user account compromise and replaced with a malicious project which contained runtime code which collected the content of os.environ.items() when instantiating Ctx objects.",
  "id": "PYSEC-2022-199",
  "modified": "2022-05-24T17:55:00.000000Z",
  "published": "2022-05-24T17:55:00.000000Z",
  "references": [
    {
      "type": "ARTICLE",
      "url": "https://python-security.readthedocs.io/pypi-vuln/index-2022-05-24-ctx-domain-takeover.html"
    }
  ]
}

GSD-2022-1002521

Vulnerability from gsd

JSON

To clipboard

{
  "GSD": {
    "affected_component": "ctx",
    "attack_vector": "malicious package update",
    "credit": "",
    "description": "In PyPI ctx version 0.1.2-1, 0.1.2-2, 0.1.4, 0.2, 0.2.1, 0.2.2, 0.2.2.1, 0.2.3, 0.2.4, 0.2.5, 0.2.6 a backdoor exists in the ctx package that can be attacked via a malicious package update resulting in credential theft from environment variables",
    "impact": "credential theft",
    "notes": "",
    "product_name": "ctx",
    "product_version": "0.1.2-1, 0.1.2-2, 0.1.4, 0.2, 0.2.1, 0.2.2, 0.2.2.1, 0.2.3, 0.2.4, 0.2.5, 0.2.6",
    "references": [
      "https://isc.sans.edu/diary/28678",
      "https://github.com/github/advisory-database/issues/325",
      "https://python-security.readthedocs.io/pypi-vuln/index-2022-05-24-ctx-domain-takeover.html",
      "https://github.com/pypa/advisory-database/blob/main/vulns/ctx/PYSEC-2022-199.yaml"
    ],
    "reporter": "joshbressers",
    "reporter_id": 1692786,
    "vendor_name": "PyPI",
    "vulnerability_type": "backdoor"
  },
  "OSV": {
    "affected": [
      {
        "package": {
          "ecosystem": "GSD",
          "name": "ctx"
        },
        "versions": [
          "0.1.2-1",
          "0.1.2-2",
          "0.1.4",
          "0.2",
          "0.2.1",
          "0.2.2",
          "0.2.2.1",
          "0.2.3",
          "0.2.4",
          "0.2.5",
          "0.2.6"
        ]
      }
    ],
    "details": "In PyPI ctx version 0.1.2-1, 0.1.2-2, 0.1.4, 0.2, 0.2.1, 0.2.2, 0.2.2.1, 0.2.3, 0.2.4, 0.2.5, 0.2.6 a backdoor exists in the ctx package that can be attacked via a malicious package update resulting in credential theft from environment variables",
    "id": "GSD-2022-1002521",
    "modified": "2022-05-24T16:49:59.126662Z",
    "published": "2022-05-24T16:49:59.126662Z",
    "references": [
      {
        "type": "WEB",
        "url": "https://isc.sans.edu/diary/28678"
      },
      {
        "type": "WEB",
        "url": "https://blog.sonatype.com/pypi-package-ctx-compromised-are-you-at-risk"
      },
      {
        "type": "WEB",
        "url": "https://github.com/github/advisory-database/issues/325"
      },
      {
        "type": "ARTICLE",
        "url": "https://python-security.readthedocs.io/pypi-vuln/index-2022-05-24-ctx-domain-takeover.html"
      },
      {
        "type": "ADVISORY",
        "url": "https://github.com/pypa/advisory-database/blob/main/vulns/ctx/PYSEC-2022-199.yaml"
      }
    ],
    "summary": "backdoor in ctx version 0.1.2-1, 0.1.2-2, 0.1.4, 0.2, 0.2.1, 0.2.2, 0.2.2.1, 0.2.3, 0.2.4, 0.2.5, 0.2.6"
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

PYSEC-2022-199

GSD-2022-1002521

Tags

Sightings

Nomenclature