Bug 1213006 (CVE-2023-34457) - VUL-0: CVE-2023-34457: python-MechanicalSoup: malicious web server can read arbitrary files on client using file input inside HTML form
Summary: VUL-0: CVE-2023-34457: python-MechanicalSoup: malicious web server can read a...
Status: NEW
Alias: CVE-2023-34457
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 15.4
Hardware: Other Other
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Todd R
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/371231/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-07-05 08:48 UTC by Carlos López
Modified: 2023-12-07 23:05 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2023-07-05 08:48:21 UTC 
CVE-2023-34457

A malicious web server can read arbitrary files on the client using a <input type="file" ...> inside HTML form. All users of MechanicalSoup's form submission are affected, unless they took very specific (and manual) steps to reset HTML form field values.

https://github.com/MechanicalSoup/MechanicalSoup/security/advisories/GHSA-x456-3ccm-m6j4

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-34457
https://bugzilla.redhat.com/show_bug.cgi?id=2219755
Comment 1 Carlos López 2023-07-05 08:49:04 UTC 
According to the advisory, versions <=1.2.0 and >=0.2.0 are affected. We have:
- openSUSE:Backports:SLE-15-SP4  0.12.0
- openSUSE:Backports:SLE-15-SP5  0.12.0
- openSUSE:Factory               1.2.0
Comment 2 OBSbugzilla Bot 2023-12-07 23:05:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1213006) was mentioned in
https://build.opensuse.org/request/show/1131724 Factory / python-MechanicalSoup