CVE-2023-37271Improper Control of Dynamically-Managed Code Resources in Restrictedpython

CWE-913Improper Control of Dynamically-Managed Code Resources7 documents5 sources
Severity
9.9CRITICALNVD
EPSS
0.3%
top 46.09%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Zopefoundation RestrictedpythonZope RestrictedpythonDebian Restrictedpython
Timeline
PublishedJul 11
Latest updateMar 18

Description

RestrictedPython is a tool that helps to define a subset of the Python language which allows users to provide a program input into a trusted environment. RestrictedPython does not check access to stack frames and their attributes. Stack frames are accessible within at least generators and generator expressions, which are allowed inside RestrictedPython. Prior to versions 6.1 and 5.3, an attacker with access to a RestrictedPython environment can write code that gets the current stack frame in a g

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 3.1 | Impact: 6.0

Affected Packages6 packages

PyPIzopefoundation/restrictedpython6.0a1.dev06.1+1
Ubuntuzopefoundation/restrictedpython< 4.0~b3-2ubuntu0.1~esm1+2

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
restrictedpython vulnerabilities2025-03-18
OSV
CVE-2023-37271: RestrictedPython is a tool that helps to define a subset of the Python language which allows users to provide a program input into a trusted environme2023-07-11
GHSA
RestrictedPython vulnerable to arbitrary code execution via stack frame sandbox escape2023-07-10
OSV
RestrictedPython vulnerable to arbitrary code execution via stack frame sandbox escape2023-07-10

📋Vendor Advisories

2
Ubuntu
RestrictedPython vulnerabilities2025-03-18
Debian
CVE-2023-37271: restrictedpython - RestrictedPython is a tool that helps to define a subset of the Python language ...2023