Skip to content
This repository has been archived by the owner on Mar 14, 2023. It is now read-only.

ACE in requests-cache

High
RhinosF1 published GHSA-v5pg-jm72-mqwf Mar 26, 2021

Package

pip MirahezeBot-Plugins (pip)

Affected versions

source>=4aec19d

Patched versions

source>=cefb261

Description

Impact

Arbitrary command execution could occur in some circumstances due to a vulnerability in requests-cache. We do not believe there is a high risk from use of our services but strongly advise you upgrade and conduct your own review.

Please see https://phab.mirahezebots.org/T228 for work to harden this function.

Patches

Pull cefb261 or after. Upgrade requirements. (https://github.com/MirahezeBots/MirahezeBots/commit/cefb261ff392a3de39a467449aa9033b5d8aa803.patch)

Workarounds

Upgrade requests-cache

References

https://snyk.io/vuln/SNYK-PYTHON-REQUESTSCACHE-1089050
https://phab.mirahezebots.org/phame/post/view/6/requests-cache_security_incident/

For more information

If you have any questions or comments about this advisory:

Severity

High
8.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE ID

No known CVE

Weaknesses

Credits