pyrage vulnerable to malicious plugin names, recipients, or identities causing arbitrary binary execution
traduction en cours…Plateforme
python
Composant
pyrage
Corrigé dans
1.2.1
1.2.3
CVE-2024-56327 affects versions of pyrage up to 1.2.2. This vulnerability stems from pyrage's reliance on the Rust age crate, which contains a critical flaw (GHSA-4fg7-vxc8-qx5w). Exploitation could lead to information disclosure and potential manipulation of data. A fix is available in version 1.2.3.
Détecte cette CVE dans ton projet
Téléverse ton fichier requirements.txt et nous te dirons instantanément si tu es affecté.
Impact et Scénarios d'Attaquetraduction en cours…
The underlying vulnerability in the age crate allows for potential information disclosure and manipulation of encrypted data. Because pyrage leverages this crate, any application using vulnerable versions of pyrage is at risk. Attackers could potentially decrypt sensitive information or tamper with data integrity. This vulnerability shares similarities with other cryptographic vulnerabilities where weaknesses in underlying libraries can expose applications using them. The impact is particularly severe given the potential for data compromise.
Contexte d'Exploitationtraduction en cours…
This CVE is linked to GHSA-4fg7-vxc8-qx5w, a known vulnerability in the age crate. Public proof-of-concept exploits for the underlying age vulnerability may exist or be developed. The vulnerability was published on 2024-12-19. The EPSS score is pending evaluation, but given the CRITICAL CVSS score and the nature of the vulnerability, a medium to high probability of exploitation is likely.
Qui Est à Risquetraduction en cours…
Applications relying on pyrage for encryption or data protection are at risk. This includes systems using pyrage as a dependency in larger projects or as a standalone tool. Specifically, those using older versions of Python where pyrage was initially adopted are more likely to be vulnerable.
Étapes de Détectiontraduction en cours…
• python / package: Use pip show pyrage to check the installed version. If the version is ≤1.2.2, the system is vulnerable.
• python / package: Run pip list and grep for pyrage to identify all instances of the package.
• generic web: Examine application logs for any errors or unusual activity related to pyrage or its dependencies.
Chronologie de l'Attaque
- Disclosure
disclosure
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
0.42% (percentile 62%)
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Aucun — sans authentification. Aucune identifiant requis pour exploiter.
- User Interaction
- Aucune — attaque automatique et silencieuse. La victime ne fait rien.
- Scope
- Inchangé — impact limité au composant vulnérable.
- Confidentiality
- Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
- Integrity
- Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
- Availability
- Élevé — panne complète ou épuisement des ressources. Déni de service total.
Logiciel Affecté
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- Modifiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The primary mitigation is to upgrade pyrage to version 1.2.3 or later, which resolves the dependency on the vulnerable age crate. If upgrading is not immediately feasible, consider isolating pyrage instances to limit the blast radius of a potential compromise. While a direct workaround isn't available, reviewing and restricting access to data processed by pyrage can reduce the potential impact. After upgrading, verify the fix by attempting to reproduce the vulnerability using known attack vectors against the updated pyrage installation.
Comment corrigertraduction en cours…
Actualice la biblioteca pyrage a la versión 1.2.3 o superior. Esto solucionará la vulnerabilidad que permite la ejecución arbitraria de código binario a través de nombres de plugins, destinatarios o identidades maliciosas. Puede actualizar usando `pip install --upgrade pyrage`.
Newsletter Sécurité CVE
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Questions fréquentestraduction en cours…
What is CVE-2024-56327 — Critical Age Vulnerability in pyrage?
CVE-2024-56327 is a critical vulnerability in pyrage (versions ≤1.2.2) caused by a dependency on the vulnerable Rust age crate (GHSA-4fg7-vxc8-qx5w), potentially leading to information disclosure.
Am I affected by CVE-2024-56327 in pyrage?
You are affected if you are using pyrage version 1.2.2 or earlier. Versions before 1.2.0 are not affected as they lack plugin support.
How do I fix CVE-2024-56327 in pyrage?
Upgrade pyrage to version 1.2.3 or later to resolve the vulnerability. This updates the dependency to a patched version of the age crate.
Is CVE-2024-56327 being actively exploited?
While active exploitation is not confirmed, the CRITICAL severity and the availability of potential exploits for the underlying age crate suggest a high likelihood of exploitation.
Where can I find the official pyrage advisory for CVE-2024-56327?
Refer to the advisory details linked in the CVE description: https://github.com/FiloSottile/age/security/advisories/GHSA-32gq-x56h-299c.
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.