Bugzilla – Bug 1221331
VUL-0: CVE-2024-27758: python-rpyc: remote code execution via exposed method
Last modified: 2024-03-19 09:35:02 UTC
In RPyC before 6.0.0, when a server exposes a method that calls the attribute named __array__ for a client-provided netref (e.g., np.array(client_netref)), a remote attacker can craft a class that results in remote code execution. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-27758 https://github.com/tomerfiliba-org/rpyc/security/advisories/GHSA-h5cg-53g7-gqjw https://www.cve.org/CVERecord?id=CVE-2024-27758 https://gist.github.com/renbou/957f70d27470982994f12a1d70153d09 https://bugzilla.redhat.com/show_bug.cgi?id=2269242
Tracking as affected: - openSUSE:Backports:SLE-15-SP5/python-rpyc 4.1.5 - openSUSE:Factory/python-rpyc
This is an autogenerated message for OBS integration: This bug (1221331) was mentioned in https://build.opensuse.org/request/show/1157613 Factory / python-rpyc
This is an autogenerated message for OBS integration: This bug (1221331) was mentioned in https://build.opensuse.org/request/show/1157663 Backports:SLE-15-SP5 / python-rpyc https://build.opensuse.org/request/show/1157675 Backports:SLE-15-SP6 / python-rpyc
openSUSE-SU-2024:0082-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1221331 CVE References: CVE-2024-27758 JIRA References: Sources used: openSUSE Backports SLE-15-SP5 (src): python-rpyc-4.1.5-bp155.3.3.1, python-rpyc-test-4.1.5-bp155.3.3.1
This is an autogenerated message for OBS integration: This bug (1221331) was mentioned in https://build.opensuse.org/request/show/1159233 Backports:SLE-15-SP6 / python-rpyc