pysec-2024-5

Vulnerability from pysec

Published

2024-01-11 03:15

Modified

2024-01-25 14:03

Severity ?

2.8 (Low) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Details

cdo-local-uuid project provides a specialized UUID-generating function that can, on user request, cause a program to generate deterministic UUIDs. An information leakage vulnerability is present in cdo-local-uuid at version 0.4.0, and in case-utils in unpatched versions (matching the pattern 0.x.0) at and since 0.5.0, before 0.15.0. The vulnerability stems from a Python function, cdo_local_uuid.local_uuid(), and its original implementation case_utils.local_uuid().

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "case-utils",
        "purl": "pkg:pypi/case-utils"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9e78f7cb1075728d0aafc918514f32a1392cd235"
            }
          ],
          "repo": "https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "00864cd12de7c50d882dd1a74915d32e939c25f9"
            },
            {
              "fixed": "1cccae8eb3cf94b3a28f6490efa0fbf5c82ebd6b"
            },
            {
              "fixed": "5acb929dfb599709d1c8c90d1824dd79e0fd9e10"
            },
            {
              "fixed": "7e02d18383eabbeb9fb4ec97d81438c9980a4790"
            },
            {
              "fixed": "80551f49241c874c7c50e14abe05c5017630dad2"
            },
            {
              "fixed": "939775f956796d0432ecabbf62782ed7ad1007b5"
            },
            {
              "fixed": "db428a0745dac4fdd888ced9c52f617695519f9d"
            },
            {
              "fixed": "e4ffadc3d56fd303b8f465d727c4a58213d311a1"
            },
            {
              "fixed": "fca7388f09feccd3b9ea88e6df9c7a43a5349452"
            },
            {
              "fixed": "fdc32414eccfcbde6be0fd91b7f491cc0779b02d"
            }
          ],
          "repo": "https://github.com/casework/CASE-Utilities-Python",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.10.0",
        "0.10.1",
        "0.10.1.post0",
        "0.11.0",
        "0.11.1",
        "0.11.1.post0",
        "0.12.0",
        "0.12.1",
        "0.12.1.post0",
        "0.13.0",
        "0.13.1",
        "0.13.1.post0",
        "0.14.0",
        "0.14.1",
        "0.14.1.post0",
        "0.15.0",
        "0.5.0",
        "0.5.1",
        "0.5.1.post0",
        "0.6.0",
        "0.6.1",
        "0.7.0",
        "0.7.1",
        "0.8.0",
        "0.8.1",
        "0.8.1.post0",
        "0.9.0",
        "0.9.1",
        "0.9.1.post0",
        "0.16.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2024-22194",
    "GHSA-rgrf-6mf5-m882"
  ],
  "details": "cdo-local-uuid project provides a specialized UUID-generating function that can, on user request, cause a program to generate deterministic UUIDs. An information leakage vulnerability is present in `cdo-local-uuid` at version `0.4.0`, and in `case-utils` in unpatched versions (matching the pattern `0.x.0`) at and since `0.5.0`, before `0.15.0`. The vulnerability stems from a Python function, `cdo_local_uuid.local_uuid()`, and its original implementation `case_utils.local_uuid()`. ",
  "id": "PYSEC-2024-5",
  "modified": "2024-01-25T14:03:52.279077Z",
  "published": "2024-01-11T03:15:00Z",
  "references": [
    {
      "type": "EVIDENCE",
      "url": "https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/security/advisories/GHSA-rgrf-6mf5-m882"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/security/advisories/GHSA-rgrf-6mf5-m882"
    },
    {
      "type": "FIX",
      "url": "https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/pull/3"
    },
    {
      "type": "FIX",
      "url": "https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/pull/4"
    },
    {
      "type": "FIX",
      "url": "https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/commit/9e78f7cb1075728d0aafc918514f32a1392cd235"
    },
    {
      "type": "FIX",
      "url": "https://github.com/casework/CASE-Utilities-Python/commit/00864cd12de7c50d882dd1a74915d32e939c25f9"
    },
    {
      "type": "FIX",
      "url": "https://github.com/casework/CASE-Utilities-Python/commit/1cccae8eb3cf94b3a28f6490efa0fbf5c82ebd6b"
    },
    {
      "type": "FIX",
      "url": "https://github.com/casework/CASE-Utilities-Python/commit/5acb929dfb599709d1c8c90d1824dd79e0fd9e10"
    },
    {
      "type": "FIX",
      "url": "https://github.com/casework/CASE-Utilities-Python/commit/7e02d18383eabbeb9fb4ec97d81438c9980a4790"
    },
    {
      "type": "FIX",
      "url": "https://github.com/casework/CASE-Utilities-Python/commit/80551f49241c874c7c50e14abe05c5017630dad2"
    },
    {
      "type": "FIX",
      "url": "https://github.com/casework/CASE-Utilities-Python/commit/939775f956796d0432ecabbf62782ed7ad1007b5"
    },
    {
      "type": "FIX",
      "url": "https://github.com/casework/CASE-Utilities-Python/commit/db428a0745dac4fdd888ced9c52f617695519f9d"
    },
    {
      "type": "FIX",
      "url": "https://github.com/casework/CASE-Utilities-Python/commit/e4ffadc3d56fd303b8f465d727c4a58213d311a1"
    },
    {
      "type": "FIX",
      "url": "https://github.com/casework/CASE-Utilities-Python/commit/fca7388f09feccd3b9ea88e6df9c7a43a5349452"
    },
    {
      "type": "FIX",
      "url": "https://github.com/casework/CASE-Utilities-Python/commit/fdc32414eccfcbde6be0fd91b7f491cc0779b02d#diff-e60b9cb8fb480ed27283a030a0898be3475992d78228f4045b12ce5cbb2f0509"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

cve-2024-22194

Vulnerability from cvelistv5

Published

2024-01-11 02:21

Modified

2024-08-01 22:35

Severity ?

2.2 (Low) - CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Summary

cdo-local-uuid vulnerable to insertion of artifact derived from developer's Present Working Directory into demonstration code

References

▼	URL	Tags
	https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/security/advisories/GHSA-rgrf-6mf5-m882	x_refsource_CONFIRM
	https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/pull/3	x_refsource_MISC
	https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/pull/4	x_refsource_MISC
	https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/commit/9e78f7cb1075728d0aafc918514f32a1392cd235	x_refsource_MISC
	https://github.com/casework/CASE-Utilities-Python/commit/00864cd12de7c50d882dd1a74915d32e939c25f9	x_refsource_MISC
	https://github.com/casework/CASE-Utilities-Python/commit/1cccae8eb3cf94b3a28f6490efa0fbf5c82ebd6b	x_refsource_MISC
	https://github.com/casework/CASE-Utilities-Python/commit/5acb929dfb599709d1c8c90d1824dd79e0fd9e10	x_refsource_MISC
	https://github.com/casework/CASE-Utilities-Python/commit/7e02d18383eabbeb9fb4ec97d81438c9980a4790	x_refsource_MISC
	https://github.com/casework/CASE-Utilities-Python/commit/80551f49241c874c7c50e14abe05c5017630dad2	x_refsource_MISC
	https://github.com/casework/CASE-Utilities-Python/commit/939775f956796d0432ecabbf62782ed7ad1007b5	x_refsource_MISC
	https://github.com/casework/CASE-Utilities-Python/commit/db428a0745dac4fdd888ced9c52f617695519f9d	x_refsource_MISC
	https://github.com/casework/CASE-Utilities-Python/commit/e4ffadc3d56fd303b8f465d727c4a58213d311a1	x_refsource_MISC
	https://github.com/casework/CASE-Utilities-Python/commit/fca7388f09feccd3b9ea88e6df9c7a43a5349452	x_refsource_MISC
	https://github.com/casework/CASE-Utilities-Python/commit/fdc32414eccfcbde6be0fd91b7f491cc0779b02d#diff-e60b9cb8fb480ed27283a030a0898be3475992d78228f4045b12ce5cbb2f0509	x_refsource_MISC

Impacted products

Vendor

Product

Version

▼

Cyber-Domain-Ontology

CDO-Utility-Local-UUID

Version: = 0.4.0
Version: = 0.5.0
Version: = 0.6.0
Version: = 0.7.0
Version: = 0.8.0
Version: = 0.9.0
Version: = 0.10.0
Version: = 0.11.0
Version: = 0.12.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T22:35:34.933Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/security/advisories/GHSA-rgrf-6mf5-m882",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/security/advisories/GHSA-rgrf-6mf5-m882"
          },
          {
            "name": "https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/pull/3",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/pull/3"
          },
          {
            "name": "https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/pull/4",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/pull/4"
          },
          {
            "name": "https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/commit/9e78f7cb1075728d0aafc918514f32a1392cd235",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/commit/9e78f7cb1075728d0aafc918514f32a1392cd235"
          },
          {
            "name": "https://github.com/casework/CASE-Utilities-Python/commit/00864cd12de7c50d882dd1a74915d32e939c25f9",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/casework/CASE-Utilities-Python/commit/00864cd12de7c50d882dd1a74915d32e939c25f9"
          },
          {
            "name": "https://github.com/casework/CASE-Utilities-Python/commit/1cccae8eb3cf94b3a28f6490efa0fbf5c82ebd6b",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/casework/CASE-Utilities-Python/commit/1cccae8eb3cf94b3a28f6490efa0fbf5c82ebd6b"
          },
          {
            "name": "https://github.com/casework/CASE-Utilities-Python/commit/5acb929dfb599709d1c8c90d1824dd79e0fd9e10",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/casework/CASE-Utilities-Python/commit/5acb929dfb599709d1c8c90d1824dd79e0fd9e10"
          },
          {
            "name": "https://github.com/casework/CASE-Utilities-Python/commit/7e02d18383eabbeb9fb4ec97d81438c9980a4790",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/casework/CASE-Utilities-Python/commit/7e02d18383eabbeb9fb4ec97d81438c9980a4790"
          },
          {
            "name": "https://github.com/casework/CASE-Utilities-Python/commit/80551f49241c874c7c50e14abe05c5017630dad2",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/casework/CASE-Utilities-Python/commit/80551f49241c874c7c50e14abe05c5017630dad2"
          },
          {
            "name": "https://github.com/casework/CASE-Utilities-Python/commit/939775f956796d0432ecabbf62782ed7ad1007b5",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/casework/CASE-Utilities-Python/commit/939775f956796d0432ecabbf62782ed7ad1007b5"
          },
          {
            "name": "https://github.com/casework/CASE-Utilities-Python/commit/db428a0745dac4fdd888ced9c52f617695519f9d",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/casework/CASE-Utilities-Python/commit/db428a0745dac4fdd888ced9c52f617695519f9d"
          },
          {
            "name": "https://github.com/casework/CASE-Utilities-Python/commit/e4ffadc3d56fd303b8f465d727c4a58213d311a1",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/casework/CASE-Utilities-Python/commit/e4ffadc3d56fd303b8f465d727c4a58213d311a1"
          },
          {
            "name": "https://github.com/casework/CASE-Utilities-Python/commit/fca7388f09feccd3b9ea88e6df9c7a43a5349452",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/casework/CASE-Utilities-Python/commit/fca7388f09feccd3b9ea88e6df9c7a43a5349452"
          },
          {
            "name": "https://github.com/casework/CASE-Utilities-Python/commit/fdc32414eccfcbde6be0fd91b7f491cc0779b02d#diff-e60b9cb8fb480ed27283a030a0898be3475992d78228f4045b12ce5cbb2f0509",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/casework/CASE-Utilities-Python/commit/fdc32414eccfcbde6be0fd91b7f491cc0779b02d#diff-e60b9cb8fb480ed27283a030a0898be3475992d78228f4045b12ce5cbb2f0509"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "CDO-Utility-Local-UUID",
          "vendor": "Cyber-Domain-Ontology",
          "versions": [
            {
              "status": "affected",
              "version": "= 0.4.0"
            },
            {
              "status": "affected",
              "version": "= 0.5.0"
            },
            {
              "status": "affected",
              "version": "= 0.6.0"
            },
            {
              "status": "affected",
              "version": "= 0.7.0"
            },
            {
              "status": "affected",
              "version": "= 0.8.0"
            },
            {
              "status": "affected",
              "version": "= 0.9.0"
            },
            {
              "status": "affected",
              "version": "= 0.10.0"
            },
            {
              "status": "affected",
              "version": "= 0.11.0"
            },
            {
              "status": "affected",
              "version": "= 0.12.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "cdo-local-uuid project provides a specialized UUID-generating function that can, on user request, cause a program to generate deterministic UUIDs. An information leakage vulnerability is present in `cdo-local-uuid` at version `0.4.0`, and in `case-utils` in unpatched versions (matching the pattern `0.x.0`) at and since `0.5.0`, before `0.15.0`. The vulnerability stems from a Python function, `cdo_local_uuid.local_uuid()`, and its original implementation `case_utils.local_uuid()`. "
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 2.2,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-215",
              "description": "CWE-215: Insertion of Sensitive Information Into Debugging Code",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-337",
              "description": "CWE-337: Predictable Seed in Pseudo-Random Number Generator (PRNG)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-11T02:21:53.758Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/security/advisories/GHSA-rgrf-6mf5-m882",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/security/advisories/GHSA-rgrf-6mf5-m882"
        },
        {
          "name": "https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/pull/3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/pull/3"
        },
        {
          "name": "https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/pull/4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/pull/4"
        },
        {
          "name": "https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/commit/9e78f7cb1075728d0aafc918514f32a1392cd235",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/commit/9e78f7cb1075728d0aafc918514f32a1392cd235"
        },
        {
          "name": "https://github.com/casework/CASE-Utilities-Python/commit/00864cd12de7c50d882dd1a74915d32e939c25f9",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/casework/CASE-Utilities-Python/commit/00864cd12de7c50d882dd1a74915d32e939c25f9"
        },
        {
          "name": "https://github.com/casework/CASE-Utilities-Python/commit/1cccae8eb3cf94b3a28f6490efa0fbf5c82ebd6b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/casework/CASE-Utilities-Python/commit/1cccae8eb3cf94b3a28f6490efa0fbf5c82ebd6b"
        },
        {
          "name": "https://github.com/casework/CASE-Utilities-Python/commit/5acb929dfb599709d1c8c90d1824dd79e0fd9e10",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/casework/CASE-Utilities-Python/commit/5acb929dfb599709d1c8c90d1824dd79e0fd9e10"
        },
        {
          "name": "https://github.com/casework/CASE-Utilities-Python/commit/7e02d18383eabbeb9fb4ec97d81438c9980a4790",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/casework/CASE-Utilities-Python/commit/7e02d18383eabbeb9fb4ec97d81438c9980a4790"
        },
        {
          "name": "https://github.com/casework/CASE-Utilities-Python/commit/80551f49241c874c7c50e14abe05c5017630dad2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/casework/CASE-Utilities-Python/commit/80551f49241c874c7c50e14abe05c5017630dad2"
        },
        {
          "name": "https://github.com/casework/CASE-Utilities-Python/commit/939775f956796d0432ecabbf62782ed7ad1007b5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/casework/CASE-Utilities-Python/commit/939775f956796d0432ecabbf62782ed7ad1007b5"
        },
        {
          "name": "https://github.com/casework/CASE-Utilities-Python/commit/db428a0745dac4fdd888ced9c52f617695519f9d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/casework/CASE-Utilities-Python/commit/db428a0745dac4fdd888ced9c52f617695519f9d"
        },
        {
          "name": "https://github.com/casework/CASE-Utilities-Python/commit/e4ffadc3d56fd303b8f465d727c4a58213d311a1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/casework/CASE-Utilities-Python/commit/e4ffadc3d56fd303b8f465d727c4a58213d311a1"
        },
        {
          "name": "https://github.com/casework/CASE-Utilities-Python/commit/fca7388f09feccd3b9ea88e6df9c7a43a5349452",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/casework/CASE-Utilities-Python/commit/fca7388f09feccd3b9ea88e6df9c7a43a5349452"
        },
        {
          "name": "https://github.com/casework/CASE-Utilities-Python/commit/fdc32414eccfcbde6be0fd91b7f491cc0779b02d#diff-e60b9cb8fb480ed27283a030a0898be3475992d78228f4045b12ce5cbb2f0509",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/casework/CASE-Utilities-Python/commit/fdc32414eccfcbde6be0fd91b7f491cc0779b02d#diff-e60b9cb8fb480ed27283a030a0898be3475992d78228f4045b12ce5cbb2f0509"
        }
      ],
      "source": {
        "advisory": "GHSA-rgrf-6mf5-m882",
        "discovery": "UNKNOWN"
      },
      "title": "cdo-local-uuid vulnerable to insertion of artifact derived from developer\u0027s Present Working Directory into demonstration code"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-22194",
    "datePublished": "2024-01-11T02:21:53.758Z",
    "dateReserved": "2024-01-08T04:59:27.371Z",
    "dateUpdated": "2024-08-01T22:35:34.933Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

ghsa-rgrf-6mf5-m882

Vulnerability from github

Published

2024-01-11 15:18

Modified

2024-09-13 17:39

Severity ?

2.2 (Low) - CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
0.5 (Low) - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

Summary

cdo-local-uuid vulnerable to insertion of artifact derived from developer's Present Working Directory into demonstration code

Details

Impact

What kind of vulnerability is it? Who is impacted?

An information leakage vulnerability is present in cdo-local-uuid at version 0.4.0, and in case-utils in unpatched versions (matching the pattern 0.x.0) at and since 0.5.0, before 0.15.0.

The vulnerability stems from a Python function, cdo_local_uuid.local_uuid(), and its original implementation case_utils.local_uuid(). Henceforth, both will be called local_uuid().

local_uuid() generates UUIDv5s using a deterministic pseudorandom number stream. This was written to make graph application demonstrations generate consistent, version-controllable output with minimal noise caused by demonstration re-runs. Part of the information used to keep individual examples' generated output distinct from one another is seed information from the caller's environment, particularly the program's argument vector. The present working directory is also included as part of the seed information, but for reasons including maintaining user environment privacy, as well as keeping generated identifiers consistent regardless of where a source tree is housed on a user's file system, the present working directory is trimmed from the left to exclude path information outside of a supplied "Top" source directory. (In context of the Make scripting language, this "top" directory is typically in a variable called top_srcdir. In context of Git-based project management, this directory is expected to be the root directory of a freshly "Cloned" project, e.g., where .git is stored.)

Under certain conditions, a user's present working directory, as an absolute path, was incorporated into seed data for the local_uuid() deterministic pseudorandom number stream. This violates an expectation made in the documented purpose of the local_uuid() function, and leaks information about a calling user's environment.

The conditions are:

Given a project with top source directory top_srcdir, for instance /home/user1/Documents/Project1;
Given a Python script housed directly in top_srcdir, for instance at ${top_srcdir}/example.py, written to support the deterministic mode of local_uuid();
Given a call to that Python script that follows the documentation for local_uuid();

The absolute path for top_srcdir was then included in the seed information for the UUIDv5 stream, when what was intended was a relative path spelling. That is, instead of ./example.py being in the seed data, /home/user1/Documents/Project1/example.py was in the seed data.

This does not leak the present working directory directly. But, given other knowledge of how a program had been called to generate data using local_uuid() under these conditions, it becomes possible to determine that a chosen path can lead to a known UUIDv5 value. Note that it is not necessarily knowable that the chosen path is the only solution to a sequence reconstruction; but, the path can be confirmed to be a solution.

Patches

Has the problem been patched? What versions should users upgrade to?

The issue has been patched, in the cdo-local-uuid source repository and the case-utils source repository.

Users should upgrade to any of these versions minimally:

case-utils == 0.5.1
case-utils == 0.6.1
case-utils == 0.7.1
case-utils == 0.8.1
case-utils == 0.9.1
case-utils == 0.10.1
case-utils == 0.11.1
case-utils == 0.12.1
case-utils == 0.13.1
case-utils == 0.14.1
case-utils >= 0.15.0
cdo-local-uuid == 0.5.0

All case-utils releases that contain the patch have the commit ea630cce66b26dae6d7fa7e02451d6e25456a5f2 in their Git history. Anyone interested in confirming the presence of this commit in a certain branch or tag can run the following test (written in Bash), substituting the desired branch name for the assigned value of my_git_ref_of_interest:

```bash

!/bin/bash

Present working directory ($PWD) should be in a clone of this repository:

https://github.com/casework/CASE-Utilities-Python

my_git_ref_of_interest=main test \ "xea630cce66b26dae6d7fa7e02451d6e25456a5f2" \ == \ "x$(git merge-base ea630cc ${my_git_ref_of_interest})" echo $? # Should print '0' ```

Note that other releases have been posted atop some of those minimal versions recommended for upgrading, named, e.g., 0.5.1.post0. These releases were posted to update internal library version numbers, and otherwise contain no functional changes, in accordance with Python Packaging guidance:

https://packaging.python.org/en/latest/specifications/version-specifiers/#post-release-separators

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

If the script calling cdo_local_uuid.local_uuid() is moved out of the "Top" source directory, the issue is addressed.

References

Are there any links users can visit to find out more?

The issue is addressed in this Pull Request:

https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/pull/3

Tests to reproduce the issue's conditions and confirm it has been addressed are in this Pull Requested:

https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/pull/4

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "cdo-local-uuid"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.4.0"
            },
            {
              "fixed": "0.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.4.0"
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "case-utils"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.5.0"
            },
            {
              "fixed": "0.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.5.0"
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "case-utils"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.6.0"
            },
            {
              "fixed": "0.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.6.0"
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "case-utils"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.7.0"
            },
            {
              "fixed": "0.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.7.0"
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "case-utils"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.8.0"
            },
            {
              "fixed": "0.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.8.0"
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "case-utils"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.9.0"
            },
            {
              "fixed": "0.9.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.9.0"
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "case-utils"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.10.0"
            },
            {
              "fixed": "0.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.10.0"
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "case-utils"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.11.0"
            },
            {
              "fixed": "0.11.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.11.0"
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "case-utils"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.12.0"
            },
            {
              "fixed": "0.12.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.12.0"
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "case-utils"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.13.0"
            },
            {
              "fixed": "0.13.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.13.0"
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "case-utils"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.14.0"
            },
            {
              "fixed": "0.14.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.14.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2024-22194"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-215",
      "CWE-337"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-11T15:18:51Z",
    "nvd_published_at": "2024-01-11T03:15:10Z",
    "severity": "LOW"
  },
  "details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nAn information leakage vulnerability is present in [`cdo-local-uuid`](https://pypi.org/project/cdo-local-uuid/) at version `0.4.0`, and in [`case-utils`](https://pypi.org/project/case-utils/) in unpatched versions (matching the pattern `0.x.0`) at and since `0.5.0`, before `0.15.0`.\n\nThe vulnerability stems from a Python function, `cdo_local_uuid.local_uuid()`, and its original implementation `case_utils.local_uuid()`.  Henceforth, both will be called `local_uuid()`.\n\n`local_uuid()` generates UUIDv5s using a deterministic pseudorandom number stream.  This was written to make graph application demonstrations generate consistent, version-controllable output with minimal noise caused by demonstration re-runs.  Part of the information used to keep individual examples\u0027 generated output distinct from one another is seed information from the caller\u0027s environment, particularly the program\u0027s argument vector.  The present working directory is also included as part of the seed information, but for reasons including maintaining user environment privacy, as well as keeping generated identifiers consistent regardless of where a source tree is housed on a user\u0027s file system, the present working directory is trimmed from the left to exclude path information outside of a supplied \"Top\" source directory.  (In context of the Make scripting language, this \"top\" directory is typically in a variable called `top_srcdir`.  In context of Git-based project management, this directory is expected to be the root directory of a freshly \"Cloned\" project, e.g., where `.git` is stored.)\n\nUnder certain conditions, a user\u0027s present working directory, as an absolute path, was incorporated into seed data for the `local_uuid()` deterministic pseudorandom number stream.  This violates an expectation made in the documented purpose of the `local_uuid()` function, and leaks information about a calling user\u0027s environment.\n\nThe conditions are:\n\n* Given a project with top source directory `top_srcdir`, for instance `/home/user1/Documents/Project1`;\n* Given a Python script housed directly in `top_srcdir`, for instance at `${top_srcdir}/example.py`, written to support the deterministic mode of `local_uuid()`;\n* Given a call to that Python script that follows the documentation for `local_uuid()`;\n\nThe absolute path for `top_srcdir` was then included in the seed information for the UUIDv5 stream, when what was intended was a relative path spelling.  That is, instead of `./example.py` being in the seed data, `/home/user1/Documents/Project1/example.py` was in the seed data.\n\nThis does not leak the present working directory directly.  But, given other knowledge of how a program had been called to generate data using `local_uuid()` under these conditions, it becomes possible to determine that a chosen path can lead to a known UUIDv5 value.  Note that it is not necessarily knowable that the chosen path is the *only* solution to a sequence reconstruction; but, the path can be confirmed to be *a* solution.\n\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nThe issue has been patched, in the `cdo-local-uuid` source repository and the `case-utils` source repository.\n\nUsers should upgrade to any of these versions minimally:\n\n* `case-utils == 0.5.1`\n* `case-utils == 0.6.1`\n* `case-utils == 0.7.1`\n* `case-utils == 0.8.1`\n* `case-utils == 0.9.1`\n* `case-utils == 0.10.1`\n* `case-utils == 0.11.1`\n* `case-utils == 0.12.1`\n* `case-utils == 0.13.1`\n* `case-utils == 0.14.1`\n* `case-utils \u003e= 0.15.0`\n* `cdo-local-uuid == 0.5.0`\n\nAll `case-utils` releases that contain the patch have the commit `ea630cce66b26dae6d7fa7e02451d6e25456a5f2` in their Git history.  Anyone interested in confirming the presence of this commit in a certain branch or tag can run the following test (written in Bash), substituting the desired branch name for the assigned value of `my_git_ref_of_interest`:\n\n```bash\n#!/bin/bash\n# Present working directory ($PWD) should be in a clone of this repository:\n# https://github.com/casework/CASE-Utilities-Python\nmy_git_ref_of_interest=main\ntest \\\n  \"xea630cce66b26dae6d7fa7e02451d6e25456a5f2\" \\\n  == \\\n  \"x$(git merge-base ea630cc ${my_git_ref_of_interest})\"\necho $?  # Should print \u00270\u0027\n```\n\nNote that other releases have been posted atop some of those minimal versions recommended for upgrading, named, e.g., `0.5.1.post0`.  These releases were posted to update internal library version numbers, and otherwise contain no functional changes, in accordance with Python Packaging guidance:\n\n* https://packaging.python.org/en/latest/specifications/version-specifiers/#post-release-separators\n\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nIf the script calling `cdo_local_uuid.local_uuid()` is moved out of the \"Top\" source directory, the issue is addressed.\n\n\n### References\n_Are there any links users can visit to find out more?_\n\nThe issue is addressed in this Pull Request:\n\n* https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/pull/3\n\nTests to reproduce the issue\u0027s conditions and confirm it has been addressed are in this Pull Requested:\n\n* https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/pull/4\n\n\u003c!--\nCVSS3.1 vector determined by rubric diagrams at this page:\nhttps://www.first.org/cvss/v3.1/user-guide\n--\u003e",
  "id": "GHSA-rgrf-6mf5-m882",
  "modified": "2024-09-13T17:39:18Z",
  "published": "2024-01-11T15:18:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/security/advisories/GHSA-rgrf-6mf5-m882"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22194"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/pull/3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/pull/4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/casework/CASE-Utilities-Python/commit/fdc32414eccfcbde6be0fd91b7f491cc0779b02d#diff-e60b9cb8fb480ed27283a030a0898be3475992d78228f4045b12ce5cbb2f0509"
    },
    {
      "type": "WEB",
      "url": "https://github.com/casework/CASE-Utilities-Python/commit/fca7388f09feccd3b9ea88e6df9c7a43a5349452"
    },
    {
      "type": "WEB",
      "url": "https://github.com/casework/CASE-Utilities-Python/commit/e4ffadc3d56fd303b8f465d727c4a58213d311a1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/casework/CASE-Utilities-Python/commit/db428a0745dac4fdd888ced9c52f617695519f9d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/casework/CASE-Utilities-Python/commit/939775f956796d0432ecabbf62782ed7ad1007b5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/casework/CASE-Utilities-Python/commit/80551f49241c874c7c50e14abe05c5017630dad2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/casework/CASE-Utilities-Python/commit/7e02d18383eabbeb9fb4ec97d81438c9980a4790"
    },
    {
      "type": "WEB",
      "url": "https://github.com/casework/CASE-Utilities-Python/commit/5acb929dfb599709d1c8c90d1824dd79e0fd9e10"
    },
    {
      "type": "WEB",
      "url": "https://github.com/casework/CASE-Utilities-Python/commit/1cccae8eb3cf94b3a28f6490efa0fbf5c82ebd6b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/casework/CASE-Utilities-Python/commit/00864cd12de7c50d882dd1a74915d32e939c25f9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/commit/9e78f7cb1075728d0aafc918514f32a1392cd235"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/case-utils/PYSEC-2024-5.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cdo-local-uuid/PYSEC-2024-6.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "cdo-local-uuid vulnerable to insertion of artifact derived from developer\u0027s Present Working Directory into demonstration code"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

pysec-2024-5

Vulnerability from pysec

cve-2024-22194

Vulnerability from cvelistv5

ghsa-rgrf-6mf5-m882

Vulnerability from github

Impact

Patches

!/bin/bash

Present working directory ($PWD) should be in a clone of this repository:

https://github.com/casework/CASE-Utilities-Python

Workarounds

References

Tags

Sightings

Nomenclature