CVE-2022-38882 - OpenCVE

The d8s-json for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-strings package. The affected version is 0.1.0.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
D8s-json Project	D8s-json

Configuration 1 [-]

cpe:2.3:a:d8s-json_project:d8s-json:0.1.0:*:*:*:*:python:*:*

References

Link	Resource
https://github.com/democritus-project/d8s-json/issues/9	Exploit Issue Tracking Third Party Advisory
https://pypi.org/project/d8s-json/	Product
https://pypi.org/project/democritus-strings/	Product

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-09-19T15:28:52

Updated: 2022-09-19T15:28:52

Reserved: 2022-08-29T00:00:00

Link: CVE-2022-38882

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-09-19T16:15:11.583

Modified: 2022-09-21T16:30:05.680

Link: CVE-2022-38882

JSON object: View

Redhat Information

No data.

CWE

CWE-434

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The d8s-json for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-strings package. The affected version is 0.1.0."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-09-19T15:28:52", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://pypi.org/project/democritus-strings/"}, {"tags": ["x_refsource_MISC"], "url": "https://pypi.org/project/d8s-json/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/democritus-project/d8s-json/issues/9"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2022-38882", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The d8s-json for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-strings package. The affected version is 0.1.0."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://pypi.org/project/democritus-strings/", "refsource": "MISC", "url": "https://pypi.org/project/democritus-strings/"}, {"name": "https://pypi.org/project/d8s-json/", "refsource": "MISC", "url": "https://pypi.org/project/d8s-json/"}, {"name": "https://github.com/democritus-project/d8s-json/issues/9", "refsource": "MISC", "url": "https://github.com/democritus-project/d8s-json/issues/9"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-38882", "datePublished": "2022-09-19T15:28:52", "dateReserved": "2022-08-29T00:00:00", "dateUpdated": "2022-09-19T15:28:52", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}