CRITICAL 9.8
PYSEC-2026-570
web2py remote code execution via hardcoded encryption key in session.connect function
상세
The sample web application in web2py before 2.14.2 might allow remote attackers to execute arbitrary code via vectors involving use of a hardcoded encryption key when calling the `session.connect` function.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
참고
- https://nvd.nist.gov/vuln/detail/CVE-2016-3953 [ADVISORY]
- https://github.com/web2py/web2py/issues/1205 [WEB]
- https://github.com/web2py/web2py/commit/9706d125b42481178d2b423de245f5d2faadbf40 [WEB]
- https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957 [WEB]
- https://github.com/web2py/web2py [PACKAGE]
- https://github.com/web2py/web2py/blob/R-2.14.1/applications/examples/models/session.py [WEB]
- https://usn.ubuntu.com/4030-1 [WEB]
- https://pypi.org/project/web2py [PACKAGE]
- https://github.com/advisories/GHSA-q2rq-qgcf-m22w [ADVISORY]