Platform
python
Component
pyrage
Opgelost in
1.2.1
1.2.3
CVE-2024-56327 affects versions of pyrage up to 1.2.2. This vulnerability stems from pyrage's reliance on the Rust age crate, which contains a critical flaw (GHSA-4fg7-vxc8-qx5w). Exploitation could lead to information disclosure and potential manipulation of data. A fix is available in version 1.2.3.
The underlying vulnerability in the age crate allows for potential information disclosure and manipulation of encrypted data. Because pyrage leverages this crate, any application using vulnerable versions of pyrage is at risk. Attackers could potentially decrypt sensitive information or tamper with data integrity. This vulnerability shares similarities with other cryptographic vulnerabilities where weaknesses in underlying libraries can expose applications using them. The impact is particularly severe given the potential for data compromise.
This CVE is linked to GHSA-4fg7-vxc8-qx5w, a known vulnerability in the age crate. Public proof-of-concept exploits for the underlying age vulnerability may exist or be developed. The vulnerability was published on 2024-12-19. The EPSS score is pending evaluation, but given the CRITICAL CVSS score and the nature of the vulnerability, a medium to high probability of exploitation is likely.
Applications relying on pyrage for encryption or data protection are at risk. This includes systems using pyrage as a dependency in larger projects or as a standalone tool. Specifically, those using older versions of Python where pyrage was initially adopted are more likely to be vulnerable.
• python / package: Use pip show pyrage to check the installed version. If the version is ≤1.2.2, the system is vulnerable.
• python / package: Run pip list and grep for pyrage to identify all instances of the package.
• generic web: Examine application logs for any errors or unusual activity related to pyrage or its dependencies.
disclosure
Exploit Status
EPSS
0.42% (62% percentiel)
CVSS-vector
The primary mitigation is to upgrade pyrage to version 1.2.3 or later, which resolves the dependency on the vulnerable age crate. If upgrading is not immediately feasible, consider isolating pyrage instances to limit the blast radius of a potential compromise. While a direct workaround isn't available, reviewing and restricting access to data processed by pyrage can reduce the potential impact. After upgrading, verify the fix by attempting to reproduce the vulnerability using known attack vectors against the updated pyrage installation.
Actualice la biblioteca pyrage a la versión 1.2.3 o superior. Esto solucionará la vulnerabilidad que permite la ejecución arbitraria de código binario a través de nombres de plugins, destinatarios o identidades maliciosas. Puede actualizar usando `pip install --upgrade pyrage`.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-56327 is a critical vulnerability in pyrage (versions ≤1.2.2) caused by a dependency on the vulnerable Rust age crate (GHSA-4fg7-vxc8-qx5w), potentially leading to information disclosure.
You are affected if you are using pyrage version 1.2.2 or earlier. Versions before 1.2.0 are not affected as they lack plugin support.
Upgrade pyrage to version 1.2.3 or later to resolve the vulnerability. This updates the dependency to a patched version of the age crate.
While active exploitation is not confirmed, the CRITICAL severity and the availability of potential exploits for the underlying age crate suggest a high likelihood of exploitation.
Refer to the advisory details linked in the CVE description: https://github.com/FiloSottile/age/security/advisories/GHSA-32gq-x56h-299c.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je requirements.txt-bestand en we vertellen je direct of je getroffen bent.