CVE-2023-41039 — Injection in Restrictedpython

CWE-74 — Injection7 documents5 sources

Severity

7.7HIGHNVD

OSV9.9

EPSS

0.1%

top 74.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zopefoundation Restrictedpython Zope Restrictedpython Debian Restrictedpython

Timeline

PublishedAug 30

Latest updateMar 18

Description

RestrictedPython is a restricted execution environment for Python to run untrusted code. Python's "format" functionality allows someone controlling the format string to "read" all objects accessible through recursive attribute lookup and subscription from objects he can access. This can lead to critical information disclosure. With `RestrictedPython`, the format functionality is available via the `format` and `format_map` methods of `str` (and `unicode`) (accessed either via the class or its ins…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 3.1 | Impact: 4.0

Affected Packages6 packages

▶NVDzope/restrictedpython6.0 — 6.2+1

▶debiandebian/restrictedpython< restrictedpython 6.2-1 (forky)

▶CVEListV5zopefoundation/restrictedpython< 5.4+1

▶PyPIzopefoundation/restrictedpython6.0 — 6.2+1

▶Debianzopefoundation/restrictedpython< 6.2-1+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

restrictedpython vulnerabilities↗2025-03-18

▶

OSV

Sandbox escape via various forms of "format".↗2023-08-30

▶

OSV

CVE-2023-41039: RestrictedPython is a restricted execution environment for Python to run untrusted code↗2023-08-30

▶

GHSA

Sandbox escape via various forms of "format".↗2023-08-30

▶

📋Vendor Advisories

Ubuntu

RestrictedPython vulnerabilities↗2025-03-18

▶

Debian

CVE-2023-41039: restrictedpython - RestrictedPython is a restricted execution environment for Python to run untrust...↗2023

▶