CVE-2023-48699 - OpenCVE

fastbots is a library for fast bot and scraper development using selenium and the Page Object Model (POM) design. Prior to version 0.1.5, an attacker could modify the locators.ini locator file with python code that without proper validation it's executed and it could lead to rce. The vulnerability is in the function `def __locator__(self, locator_name: str)` in `page.py`. In order to mitigate this issue, upgrade to fastbots version 0.1.5 or above.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Ubertidavide	Fastbots

Configuration 1 [-]

cpe:2.3:a:ubertidavide:fastbots:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/ubertidavide/fastbots/commit/73eb03bd75365e112b39877e26ef52853f5e9f57	Patch
https://github.com/ubertidavide/fastbots/pull/3#issue-2003080806	Issue Tracking Patch
https://github.com/ubertidavide/fastbots/security/advisories/GHSA-vccg-f4gp-45x9	Exploit Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-11-21T22:25:41.183Z

Updated: 2023-11-21T22:25:41.183Z

Reserved: 2023-11-17T19:43:37.553Z

Link: CVE-2023-48699

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-11-21T23:15:08.103

Modified: 2023-11-30T15:15:03.913

Link: CVE-2023-48699

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-48699", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-11-17T19:43:37.553Z", "datePublished": "2023-11-21T22:25:41.183Z", "dateUpdated": "2023-11-21T22:25:41.183Z"}, "containers": {"cna": {"title": "fastbots Eval Injection vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-95", "lang": "en", "description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ubertidavide/fastbots/security/advisories/GHSA-vccg-f4gp-45x9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ubertidavide/fastbots/security/advisories/GHSA-vccg-f4gp-45x9"}, {"name": "https://github.com/ubertidavide/fastbots/pull/3#issue-2003080806", "tags": ["x_refsource_MISC"], "url": "https://github.com/ubertidavide/fastbots/pull/3#issue-2003080806"}, {"name": "https://github.com/ubertidavide/fastbots/commit/73eb03bd75365e112b39877e26ef52853f5e9f57", "tags": ["x_refsource_MISC"], "url": "https://github.com/ubertidavide/fastbots/commit/73eb03bd75365e112b39877e26ef52853f5e9f57"}], "affected": [{"vendor": "ubertidavide", "product": "fastbots", "versions": [{"version": "< 0.1.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-11-21T22:25:41.183Z"}, "descriptions": [{"lang": "en", "value": "fastbots is a library for fast bot and scraper development using selenium and the Page Object Model (POM) design. Prior to version 0.1.5, an attacker could modify the locators.ini locator file with python code that without proper validation it's executed and it could lead to rce. The vulnerability is in the function `def __locator__(self, locator_name: str)` in `page.py`. In order to mitigate this issue, upgrade to fastbots version 0.1.5 or above."}], "source": {"advisory": "GHSA-vccg-f4gp-45x9", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ubertidavide:fastbots:*:*:*:*:*:*:*:*", "matchCriteriaId": "F4D23CDD-ACB2-427B-BC2C-1F98D79FE70C", "versionEndExcluding": "0.1.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "fastbots is a library for fast bot and scraper development using selenium and the Page Object Model (POM) design. Prior to version 0.1.5, an attacker could modify the locators.ini locator file with python code that without proper validation it's executed and it could lead to rce. The vulnerability is in the function `def __locator__(self, locator_name: str)` in `page.py`. In order to mitigate this issue, upgrade to fastbots version 0.1.5 or above."}, {"lang": "es", "value": "fastbots es una librer\u00eda para el desarrollo r\u00e1pido de robots y raspadores utilizando selenio y el dise\u00f1o de Page Object Model (POM). Antes de la versi\u00f3n 0.1.5, un atacante pod\u00eda modificar el archivo localizador locators.ini con c\u00f3digo Python que sin la validaci\u00f3n adecuada se ejecutaba y podr\u00eda provocar rce. La vulnerabilidad est\u00e1 en la funci\u00f3n `def __locator__(self, locator_name: str)` en `page.py`. Para mitigar este problema, actualice a la versi\u00f3n 0.1.5 o superior de fastbots."}], "id": "CVE-2023-48699", "lastModified": "2023-11-30T15:15:03.913", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-11-21T23:15:08.103", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/ubertidavide/fastbots/commit/73eb03bd75365e112b39877e26ef52853f5e9f57"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/ubertidavide/fastbots/pull/3#issue-2003080806"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/ubertidavide/fastbots/security/advisories/GHSA-vccg-f4gp-45x9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-95"}], "source": "security-advisories@github.com", "type": "Secondary"}]}