[Secure-testing-team] Bug#891220: web2py: CVE-2016-3952 CVE-2016-3953 CVE-2016-3954 CVE-2016-3957
Salvatore Bonaccorso
carnil at debian.org
Fri Feb 23 14:08:03 UTC 2018
Source: web2py
Version: 2.12.3-1
Severity: grave
Tags: security upstream
Hi,
the following vulnerabilities were published for web2py.
CVE-2016-3952[0]:
| web2py before 2.14.1, when using the standalone version, allows remote
| attackers to obtain environment variable values via a direct request
| to examples/template_examples/beautify. NOTE: this issue can be
| leveraged by remote attackers to gain administrative access.
CVE-2016-3953[1]:
| The sample web application in web2py before 2.14.2 might allow remote
| attackers to execute arbitrary code via vectors involving use of a
| hardcoded encryption key when calling the session.connect function.
CVE-2016-3954[2]:
| web2py before 2.14.2 allows remote attackers to obtain the
| session_cookie_key value via a direct request to
| examples/simple_examples/status. NOTE: this issue can be leveraged by
| remote attackers to execute arbitrary code using CVE-2016-3957.
CVE-2016-3957[3]:
| The secure_load function in gluon/utils.py in web2py before 2.14.2
| uses pickle.loads to deserialize session information stored in
| cookies, which might allow remote attackers to execute arbitrary code
| by leveraging knowledge of encryption_key.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-3952
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3952
[1] https://security-tracker.debian.org/tracker/CVE-2016-3953
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3953
[2] https://security-tracker.debian.org/tracker/CVE-2016-3954
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3954
[3] https://security-tracker.debian.org/tracker/CVE-2016-3957
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3957
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Secure-testing-team
mailing list