Miggo Logo
Miggo Vulnerability Database
CVE-2023-0434

CVE-2023-0434:
Improper Input Validation in pyload-ng

5.4

CVSS Score
3.0

Basic Information

CVE ID
CVE-2023-0434
GHSA ID
GHSA-x9vc-5q77-m7x4
EPSS Score
0.36228%
CWE
CWE-20
Published
1/22/2023
Updated
1/23/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:P/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
pyload-ngpip< 0.5.0b3.dev400.5.0b3.dev40

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the 'cast' function's handling of 'time' type values in the configuration parser. The pre-patch code only ensured a colon was present and appended ':00' if missing, but didn't validate() numeric ranges for hours (0-23) and minutes (0-59). The patch adds explicit numeric checks and range validation, confirming this was the vulnerable code path. The commit message ('validate time config values') and CWE-20 classification directly align with this missing validation logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Improp*r Input V*li**tion in *it*u* r*pository pylo**/pylo** prior to *.*.***.**v**.

Reasoning

T** vuln*r**ility st*ms *rom t** '**st' *un*tion's **n*lin* o* 'tim*' typ* v*lu*s in t** `*on*i*ur*tion` p*rs*r. T** pr*-p*t** *o** only *nsur** * *olon w*s pr*s*nt *n* *pp*n*** ':**' i* missin*, *ut *i*n't `v*li**t*()` num*ri* r*n**s *or *ours (*-**