rope
Corrigido em
0.11.0
CVE-2014-3539 is a critical remote code execution (RCE) vulnerability affecting versions of Python utilizing the Rope library up to and including 0.9.4. This vulnerability stems from an unsafe call to pickle.load within the doa.py file, allowing a malicious actor to execute arbitrary code on a vulnerable system. The vulnerability was publicly disclosed in 2018 and a fix is available in version 0.11.0.
The impact of CVE-2014-3539 is severe. An attacker can exploit this vulnerability to gain complete control over a system running a vulnerable Python interpreter. This could involve executing arbitrary commands, installing malware, stealing sensitive data, or pivoting to other systems on the network. The vulnerability’s reliance on Python’s pickle module, known for its deserialization vulnerabilities, makes it particularly dangerous. Successful exploitation requires an attacker to provide a crafted pickle payload, which can be achieved through various attack vectors, such as malicious files or network traffic.
CVE-2014-3539 has been publicly known for several years. While no widespread, active exploitation campaigns have been definitively linked to this specific CVE, the underlying pickle deserialization vulnerability is a common attack vector. Public proof-of-concept exploits exist, demonstrating the feasibility of exploitation. It is not listed on CISA KEV as of the current date.
Systems utilizing Python versions prior to 0.11.0, particularly those handling untrusted data or running Python scripts in environments with limited security controls, are at significant risk. Development environments and automated build systems using older Python versions are also vulnerable.
• python / server:
Get-Process -Name python | Select-Object -ExpandProperty Path• python / server:
find / -name 'doa.py' 2>/dev/null• python / supply-chain: Examine Python dependencies for vulnerable Rope library versions using pip list or conda list.
• python / server: Monitor system logs for unusual process creation or execution of commands originating from Python interpreters.
discovery
disclosure
patch
Status do Exploit
EPSS
2.28% (percentil 85%)
Vetor CVSS
The primary mitigation for CVE-2014-3539 is to upgrade to Python version 0.11.0 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing input validation to prevent the loading of untrusted pickle data. Restrict access to Python interpreters and the directories they can access to limit the potential impact of a successful exploit. Employ network segmentation to isolate vulnerable systems. While a direct WAF rule is unlikely, monitoring for unusual pickle deserialization activity can provide early warning signs.
Nenhum patch oficial disponível. Procure alternativas ou monitore atualizações.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2014-3539 is a critical remote code execution vulnerability in Python's Rope library, allowing attackers to execute arbitrary code through an unsafe pickle.load call.
You are affected if you are using Python with the Rope library in versions 0.9.4 or earlier. Upgrade to 0.11.0 or later to resolve the issue.
The recommended fix is to upgrade to Python version 0.11.0 or later. If upgrading is not possible, implement strict input validation for pickle data.
While no widespread campaigns are confirmed, public proof-of-concept exploits exist, indicating the potential for exploitation.
Refer to the Python security advisory for details: https://security.python.org/vuln/20143539
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo requirements.txt e descubra na hora se você está afetado.