CVE-2022-0329 – loguru

Package

Manager: pip
Name: loguru
Vulnerable Version: <0

Severity

Level: Low

CVSS v3.1: N/A

CVSS v4.0: N/A

EPSS: N/A pctlN/A

Details

Withdrawn: Code Injection in loguru # Withdrawn This advisory has been withdrawn after the maintainers of loguru noted this issue is not a security vulnerability and the CVE has been revoked. We have [stopped](https://github.com/Delgan/loguru/issues/563#issuecomment-1025223732) Dependabot alerts regarding this issue. ## Original Description In versions of loguru up to and including 0.5.3 a lack of sanitization on log serialization can lead to arbitrary code execution. The maintainer disputes the issue, but has altered behavior of the library in commit 4b0070a4f30cbf6d5e12e6274b242b62ea11c81b. See https://github.com/Delgan/loguru/issues/563 for further discussion of the issue. The function in question is intended for internal use only, but is not restricted. This has been patched in version 0.6.0.

Metadata

Created: 2022-01-28T22:01:45Z
Modified: 2022-02-01T15:17:33Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-cvp7-c586-cmf4/GHSA-cvp7-c586-cmf4.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-cvp7-c586-cmf4
Finding: N/A
Auto approve: 0