Bug 1213006 (CVE-2023-34457)

Summary: VUL-0: CVE-2023-34457: python-MechanicalSoup: malicious web server can read arbitrary files on client using file input inside HTML form
Product: [openSUSE] openSUSE Distribution Reporter: Carlos López <carlos.lopez>
Component: SecurityAssignee: Todd R <toddrme2178>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium    
Version: Leap 15.4   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/371231/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Carlos López 2023-07-05 08:48:21 UTC 
CVE-2023-34457

A malicious web server can read arbitrary files on the client using a <input type="file" ...> inside HTML form. All users of MechanicalSoup's form submission are affected, unless they took very specific (and manual) steps to reset HTML form field values.

https://github.com/MechanicalSoup/MechanicalSoup/security/advisories/GHSA-x456-3ccm-m6j4

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-34457
https://bugzilla.redhat.com/show_bug.cgi?id=2219755
Comment 1 Carlos López 2023-07-05 08:49:04 UTC 
According to the advisory, versions <=1.2.0 and >=0.2.0 are affected. We have:
- openSUSE:Backports:SLE-15-SP4  0.12.0
- openSUSE:Backports:SLE-15-SP5  0.12.0
- openSUSE:Factory               1.2.0
Comment 2 OBSbugzilla Bot 2023-12-07 23:05:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1213006) was mentioned in
https://build.opensuse.org/request/show/1131724 Factory / python-MechanicalSoup