logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-27758 rpyc

Package

Manager: pip
Name: rpyc
Vulnerable Version: >=4.0.0 <6.0.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N

EPSS: 0.02872 pctl0.85738

Details

RPyC's missing security check results in code execution when using numpy.array on the server-side. An issue in Open Source: RPyC v.4.00 thru v.5.3.1 allows a remote attacker to execute arbitrary code via a crafted script to the `__array__` attribute component. This vulnerability was introduced in [9f45f826](https://github.com/tomerfiliba-org/rpyc/commit/9f45f8269d4106905db61d82cd529cacdb178911). ### Attack Vector RPyC services that rely on the `__array__` attribute used by numpy are impacted. When the server-side exposes a method that calls the attribute named `__array__` for a a client provided netref (e.g., `np.array(client_netref)`), a remote attacker can craft a class which results in remote code execution ### Impact Assuming the system exposes a method that calls the attribute `__array__`, an attacker can execute code using the vulnerable component. ### Patches The fix is available in RPyC 6.0.0. The major version change is because some users may need to set `allow_pickle` to `True` when migrating to RPyC 6. ### Workarounds While the recommend fix is to upgrade to RPyC 6.0.0, the workaround is to [apply bba1d356 as patch.](https://github.com/tomerfiliba-org/rpyc/commit/bba1d3562e6f9f1256ec64048cc23001c0bb7516) ### Affected Component [The affected component](https://github.com/tomerfiliba-org/rpyc/blob/5.3.1/rpyc/core/netref.py#L252-L255) is the `__array__` method constructed for `NetrefClass`. ### References - [Original disclosure](https://gist.github.com/renbou/957f70d27470982994f12a1d70153d09) by [renbou (Artem Mikheev)](https://gist.github.com/renbou) - [CVE-2024-27758](https://nvd.nist.gov/vuln/detail/CVE-2024-27758)

Metadata

Created: 2024-03-06T17:05:30Z
Modified: 2024-08-02T15:37:26Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-h5cg-53g7-gqjw/GHSA-h5cg-53g7-gqjw.json
CWE IDs: ["CWE-306", "CWE-358", "CWE-913"]
Alternative ID: GHSA-h5cg-53g7-gqjw
Finding: F096
Auto approve: 1