Skip to content

RestrictedPython vulnerable to arbitrary code execution via stack frame sandbox escape

High severity GitHub Reviewed Published Jul 10, 2023 in zopefoundation/RestrictedPython • Updated Nov 7, 2023

Package

pip RestrictedPython (pip)

Affected versions

< 5.3
>= 6.0a1.dev0, < 6.1

Patched versions

5.3
6.1
pip restrictedpython (pip)
>= 0, < 5.3
5.3

Description

Impact

RestrictedPython does not check access to stack frames and their attributes. Stack frames are accessible within at least generators and generator expressions, which are allowed inside RestrictedPython. An attacker with access to a RestrictedPython environment can write code that gets the current stack frame in a generator and then walk the stack all the way beyond the RestrictedPython invocation boundary, thus breaking out of the restricted scope allowing the call of unrestricted Python code and therefore potentially allowing arbitrary code execution in the Python interpreter.

All RestrictedPython deployments that allow untrusted users to write Python code in the RestrictedPython environment are at risk. In terms of Zope and Plone, this would mean deployments where the administrator allows untrusted users to create and/or edit objects of type Script (Python), DTML Method, DTML Document or Zope Page Template. This is a non-default configuration and likely to be extremely rare.

Patches

The problem has been fixed in releases 5.3 and 6.1.

Workarounds

There is no workaround available. If you cannot upgrade to the latest release you should ensure the RestrictedPython environment is only available for trusted users.

References

For more information

If you have any questions or comments about this advisory:

Credits

Thanks for analysing and reporting the go to:

  • Nakul Choudhary (Quasar0147 on GitHub)
  • despawningbone on GitHub
  • Robert Xiao (nneonneo on GitHub)

References

@dataflake dataflake published to zopefoundation/RestrictedPython Jul 10, 2023
Published to the GitHub Advisory Database Jul 10, 2023
Reviewed Jul 10, 2023
Published by the National Vulnerability Database Jul 11, 2023
Last updated Nov 7, 2023

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L

EPSS score

0.148%
(52nd percentile)

Weaknesses

CVE ID

CVE-2023-37271

GHSA ID

GHSA-wqc8-x2pr-7jqh

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.