CVE-2024-47532 — Sensitive Information Exposure in Restrictedpython

CWE-200 — Sensitive Information Exposure7 documents5 sources

Severity

8.7HIGHNVD

OSV9.9

EPSS

0.8%

top 25.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zopefoundation Restrictedpython Zope Restrictedpython Debian Restrictedpython

Timeline

PublishedSep 30

Latest updateMar 18

Description

RestrictedPython is a restricted execution environment for Python to run untrusted code. A user can gain access to protected (and potentially sensible) information indirectly via AttributeError.obj and the string module. The problem will be fixed in version 7.3. As a workaround, If the application does not require access to the module string, it can remove it from RestrictedPython.Utilities.utility_builtins or otherwise do not make it available in the restricted execution environment.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages6 packages

▶NVDzope/restrictedpython< 7.3

▶debiandebian/restrictedpython< restrictedpython 8.0-1 (forky)

▶CVEListV5zopefoundation/restrictedpython< 7.3

▶PyPIzopefoundation/restrictedpython< 7.3

▶Debianzopefoundation/restrictedpython< 8.0-1+1

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

restrictedpython vulnerabilities↗2025-03-18

▶

OSV

RestrictedPython information leakage via `AttributeError.obj` and the `string` module↗2024-09-30

▶

OSV

CVE-2024-47532: RestrictedPython is a restricted execution environment for Python to run untrusted code↗2024-09-30

▶

GHSA

RestrictedPython information leakage via `AttributeError.obj` and the `string` module↗2024-09-30

▶

📋Vendor Advisories

Ubuntu

RestrictedPython vulnerabilities↗2025-03-18

▶

Debian

CVE-2024-47532: restrictedpython - RestrictedPython is a restricted execution environment for Python to run untrust...↗2024

▶