logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2020-5252 safety

Package

Manager: pip
Name: safety
Vulnerable Version: >=0 <1.9.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

EPSS: 0.00069 pctl0.21632

Details

Malicious package may avoid detection in python auditing # Python Auditing Vulnerability Demonstrates how a malicious package can insert a load-time poison pill to avoid detection by tools like Safety. Tools that are designed to find vulnerable packages can not ever run in the same python environment that they are trying to protect. ## Usage Install `safety`, `insecure-package`, and this package with pip in the same python environment. Order doesn&amp;#39;t matter. 1. pip install safety 2. pip install insecure-package 3. pip install dist/malicious-0.1-py3-none-any.whl Run the check 4. `safety check` You should see both `Running my modified safety.check` and that `insecure-package` is not listed in the results! ## How it Works Everything in Python is mutable. The trick is getting some code to run at interpreter load time in order to do some patching. 1. When you install this package, the `setup.py` settings installs a `malicious.pth` file to your `site-packages` directory. 2. The `malicious.pth` file gets loaded anytime Python starts, which in turn imports our `malicious` package. 3. The `malicious/__init__.py` patches the safety library with a custom function to avoid detection.

Metadata

Created: 2020-03-24T15:07:56Z
Modified: 2024-10-21T21:06:25Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-7q25-qrjw-6fg2/GHSA-7q25-qrjw-6fg2.json
CWE IDs: ["CWE-807"]
Alternative ID: GHSA-7q25-qrjw-6fg2
Finding: F089
Auto approve: 1