Plataforma
python
Componente
pyload/pyload
Corrigido em
0.5.1
CVE-2024-22416 describes a Privilege Escalation vulnerability within the pyLoad download manager. This flaw allows unauthenticated attackers to execute arbitrary API calls through Cross-Site Request Forgery (CSRF) attacks. The vulnerability affects versions of pyLoad prior to 0.5.0b3.dev78, and a fix is available in the specified version.
The core of this vulnerability lies in the pyLoad API's design and the lack of proper security controls. Because the session cookie is not set with the SameSite: strict attribute, an attacker can craft malicious requests from a different origin to impersonate a legitimate user. This effectively bypasses authentication and authorization mechanisms. An attacker could leverage this to perform actions such as modifying download configurations, accessing sensitive data, or even potentially gaining control over the system running pyLoad, depending on the API's functionality and permissions. The lack of authentication makes this particularly dangerous, as any user with the ability to craft CSRF requests can exploit it.
This vulnerability was publicly disclosed on January 17, 2024. While no active exploitation campaigns have been publicly reported as of this writing, the ease of exploitation via CSRF and the lack of authentication make it a high-priority concern. The vulnerability's simplicity and the widespread use of Python in various environments suggest a potential for exploitation. It is not currently listed on CISA KEV, but its CRITICAL severity warrants close monitoring.
Systems running pyLoad versions prior to 0.5.0b3.dev78 are at risk, particularly those exposed to untrusted networks or web applications. Shared hosting environments where multiple users share the same pyLoad instance are especially vulnerable, as an attacker could potentially exploit the vulnerability through a compromised website on the same server.
• python: Monitor pyLoad API endpoint requests for unusual origins. Use Python's logging module to log all API requests, including the Origin header.
import logging
# Example: Log requests with suspicious origins
logging.basicConfig(level=logging.INFO)
def log_request(origin):
if 'suspicious-domain.com' in origin:
logging.info(f'Suspicious origin detected: {origin}')• generic web: Examine web server access logs for requests to pyLoad API endpoints originating from unexpected or unauthorized domains. Look for patterns indicative of CSRF attacks.
• generic web: Check response headers for the absence of SameSite=Strict on pyLoad API cookies. Use curl -I <pyloadapiurl> to inspect headers.
disclosure
Status do Exploit
EPSS
5.90% (percentil 91%)
Vetor CVSS
The primary mitigation for CVE-2024-22416 is to immediately upgrade pyLoad to version 0.5.0b3.dev78 or later. If upgrading is not immediately feasible due to compatibility issues or system downtime constraints, consider implementing a Web Application Firewall (WAF) with CSRF protection rules. These rules should specifically target API endpoints within pyLoad and validate the Origin header to prevent cross-origin requests. Additionally, carefully review and restrict access to the pyLoad API endpoints to minimize the potential impact of a successful attack. After upgrading, confirm the fix by attempting a CSRF attack against a pyLoad API endpoint using a tool like Burp Suite and verifying that the request is rejected.
Actualice pyLoad a la versión 0.5.0b3.dev78 o superior. Esta versión corrige la vulnerabilidad CSRF al implementar medidas de protección adecuadas. La actualización se puede realizar a través del gestor de paquetes de Python o descargando la última versión desde el repositorio oficial.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2024-22416 is a CRITICAL vulnerability in pyLoad download manager allowing unauthenticated attackers to execute arbitrary API calls via CSRF due to a missing SameSite cookie attribute.
You are affected if you are using pyLoad versions 0.5.0b3.dev78 or earlier. Upgrade to the latest version to mitigate the risk.
Upgrade pyLoad to version 0.5.0b3.dev78 or later. As a temporary workaround, implement a WAF with CSRF protection rules.
While no active exploitation campaigns have been publicly reported, the vulnerability's ease of exploitation makes it a high-priority concern.
Refer to the pyLoad project's official channels and GitHub repository for the latest advisory and updates: [https://github.com/pyLoad/pyLoad](https://github.com/pyLoad/pyLoad)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo requirements.txt e descubra na hora se você está afetado.