CVE-2019-16328 — Prototype Pollution in Project Rpyc

CWE-1321 — Prototype Pollution CWE-285 — Improper Authorization9 documents6 sources

Severity

7.5HIGHNVD

EPSS

73.0%

top 1.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rpyc Project Rpyc Debian Rpyc

Timeline

PublishedOct 3

Latest updateFeb 17

Description

In RPyC 4.1.x through 4.1.1, a remote attacker can dynamically modify object attributes to construct a remote procedure call that executes code for an RPyC service with default configuration settings.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶PyPIrpyc_project/rpyc4.1.0 — 4.1.2+1

▶NVDrpyc_project/rpyc4.1.0 — 4.1.1

▶debiandebian/rpyc

🔴Vulnerability Details

OSV

Dynamic modification of RPyC service due to missing security check↗2021-02-17

▶

GHSA

Dynamic modification of RPyC service due to missing security check↗2021-02-17

▶

OSV

Duplicate Advisory: Possible remote code execution via a remote procedure call↗2019-11-20

▶

OSV

CVE-2019-16328: In RPyC 4↗2019-10-03

▶

📋Vendor Advisories

Debian

CVE-2019-16328: rpyc - In RPyC 4.1.x through 4.1.1, a remote attacker can dynamically modify object att...↗2019

▶

📄Research Papers

CTF

20230206-DiceCTF2023-EN / README↗2023

▶

💬Community

Bugzilla

CVE-2019-16328 python-rpyc: missing protocol security check leads remote procedure call that executes code for a RPyC service↗2019-11-18

▶

Bugzilla

CVE-2019-16328 python-rpyc: missing protocol security check leads remote procedure call that executes code for a RPyC service [fedora-all]↗2019-11-18

▶