CVE-2024-56327 – pyrage

Package

Manager: pip
Name: pyrage
Vulnerable Version: >=1.2.0 <1.2.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00158 pctl0.37139

Details

pyrage vulnerable to malicious plugin names, recipients, or identities causing arbitrary binary execution `pyrage` uses the Rust `age` crate for its underlying operations, and `age` is vulnerable to GHSA-4fg7-vxc8-qx5w. All details of GHSA-4fg7-vxc8-qx5w are relevant to `pyrage` for the versions specified in this advisory. See GHSA-4fg7-vxc8-qx5w for full details. Versions of `pyrage` before 1.2.0 lack plugin support and are therefore **not affected**. An equivalent issue was fixed in [the reference Go implementation of age](https://github.com/FiloSottile/age), see advisory [GHSA-32gq-x56h-299c](https://github.com/FiloSottile/age/security/advisories/GHSA-32gq-x56h-299c). Thanks to ⬡-49016 for reporting this issue.

Metadata

Created: 2024-12-19T15:14:06Z
Modified: 2024-12-20T18:35:12Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-47h8-jmp3-9f28/GHSA-47h8-jmp3-9f28.json
CWE IDs: ["CWE-1395", "CWE-25", "CWE-94"]
Alternative ID: GHSA-47h8-jmp3-9f28
Finding: F422
Auto approve: 1