CVE-2024-56327: pyrage vulnerable to malicious plugin names, recipients, or identities causing arbitrary binary execution
(updated )
pyrage uses the Rust age crate for its underlying operations, and age is vulnerable to GHSA-4fg7-vxc8-qx5w.
All details of GHSA-4fg7-vxc8-qx5w are relevant to pyrage for the versions specified in this advisory. See GHSA-4fg7-vxc8-qx5w for full details.
Versions of pyrage before 1.2.0 lack plugin support and are therefore not affected.
An equivalent issue was fixed in the reference Go implementation of age, see advisory GHSA-32gq-x56h-299c.
Thanks to ⬡-49016 for reporting this issue.
References
- github.com/FiloSottile/age/security/advisories/GHSA-32gq-x56h-299c
- github.com/advisories/GHSA-47h8-jmp3-9f28
- github.com/advisories/GHSA-4fg7-vxc8-qx5w
- github.com/str4d/rage/security/advisories/GHSA-4fg7-vxc8-qx5w
- github.com/woodruffw/pyrage
- github.com/woodruffw/pyrage/security/advisories/GHSA-47h8-jmp3-9f28
- nvd.nist.gov/vuln/detail/CVE-2024-56327
Detect and mitigate CVE-2024-56327 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →