Miggo Logo

CVE-2023-26145: pydash Command Injection vulnerability

7.4

CVSS Score
3.1

Basic Information

EPSS Score
0.81503%
Published
9/28/2023
Updated
10/21/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
pydashpip< 6.0.06.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability documentation explicitly names both functions as entry points. The root cause lies in their handling of dotted paths to access internal class attributes (like init.globals). The GitHub commit adds key restrictions in path resolution helpers (_base_get_object/base_set), which these functions utilize. Tests confirm restrictions target dunder method access. While helpers.py contains the patched logic, the exposed vulnerability manifests through the invoke() and invoke_map() API methods that consume attacker-controlled paths.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts v*rsions o* t** p**k*** py**s* ***or* *.*.*. * num**r o* py**s* m*t*o*s su** *s py**s*.o*j**ts.invok*() *n* py**s*.*oll**tions.invok*_m*p() ****pt *ott** p*t*s (***p P*t* Strin*s) to t*r**t * n*st** Pyt*on o*j**t, r*l*tiv* to t** ori*in*

Reasoning

T** vuln*r**ility *o*um*nt*tion *xpli*itly n*m*s *ot* *un*tions *s *ntry points. T** root **us* li*s in t**ir **n*lin* o* *ott** p*t*s to ****ss int*rn*l *l*ss *ttri*ut*s (lik* __init__.__*lo**ls__). T** *it*u* *ommit ***s k*y r*stri*tions in p*t* r*