CVE-2024-22416 - OpenCVE

pyLoad is a free and open-source Download Manager written in pure Python. The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. As a result any API call can be made via a CSRF attack by an unauthenticated user. This issue has been addressed in release `0.5.0b3.dev78`. All users are advised to upgrade.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Pyload-ng Project	Pyload-ng

Configuration 1 [-]

cpe:2.3:a:pyload-ng_project:pyload-ng:*:*:*:*:*:python:*:*

References

Link	Resource
https://github.com/pyload/pyload/commit/1374c824271cb7e927740664d06d2e577624ca3e	Patch
https://github.com/pyload/pyload/commit/c7cdc18ad9134a75222974b39e8b427c4af845fc	Patch
https://github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fm	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-17T23:48:31.422Z

Updated: 2024-01-17T23:48:31.422Z

Reserved: 2024-01-10T15:09:55.552Z

Link: CVE-2024-22416

JSON object: View

NVD Information

Status : Analyzed

Published: 2024-01-18T00:15:38.397

Modified: 2024-01-29T17:02:04.487

Link: CVE-2024-22416

JSON object: View

Redhat Information

No data.

CWE

CWE-352

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2024-22416", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-10T15:09:55.552Z", "datePublished": "2024-01-17T23:48:31.422Z", "dateUpdated": "2024-01-17T23:48:31.422Z"}, "containers": {"cna": {"title": "Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.7, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fm"}, {"name": "https://github.com/pyload/pyload/commit/1374c824271cb7e927740664d06d2e577624ca3e", "tags": ["x_refsource_MISC"], "url": "https://github.com/pyload/pyload/commit/1374c824271cb7e927740664d06d2e577624ca3e"}, {"name": "https://github.com/pyload/pyload/commit/c7cdc18ad9134a75222974b39e8b427c4af845fc", "tags": ["x_refsource_MISC"], "url": "https://github.com/pyload/pyload/commit/c7cdc18ad9134a75222974b39e8b427c4af845fc"}], "affected": [{"vendor": "pyload", "product": "pyload", "versions": [{"version": "< 0.5.0b3.dev78", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-17T23:48:31.422Z"}, "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source Download Manager written in pure Python. The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. As a result any API call can be made via a CSRF attack by an unauthenticated user. This issue has been addressed in release `0.5.0b3.dev78`. All users are advised to upgrade."}], "source": {"advisory": "GHSA-pgpj-v85q-h5fm", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pyload-ng_project:pyload-ng:*:*:*:*:*:python:*:*", "matchCriteriaId": "DD4F56D8-B2D0-4DDE-B8FD-51F372957087", "versionEndExcluding": "0.5.0b3.dev78", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source Download Manager written in pure Python. The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. As a result any API call can be made via a CSRF attack by an unauthenticated user. This issue has been addressed in release `0.5.0b3.dev78`. All users are advised to upgrade."}, {"lang": "es", "value": "pyLoad es un administrador de descargas gratuito y de c\u00f3digo abierto escrito en Python puro. La API `pyload` permite realizar cualquier llamada a la API mediante solicitudes GET. Dado que la cookie de sesi\u00f3n no est\u00e1 configurada en \"SameSite: strict\", esto abre la librer\u00eda a graves posibilidades de ataque a trav\u00e9s de un ataque de Cross-Site Request Forgery (CSRF). Como resultado, cualquier llamada a la API puede realizarse mediante un ataque CSRF por parte de un usuario no autenticado. Este problema se solucion\u00f3 en la versi\u00f3n `0.5.0b3.dev78`. Se recomienda a todos los usuarios que actualicen."}], "id": "CVE-2024-22416", "lastModified": "2024-01-29T17:02:04.487", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-01-18T00:15:38.397", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/pyload/pyload/commit/1374c824271cb7e927740664d06d2e577624ca3e"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/pyload/pyload/commit/c7cdc18ad9134a75222974b39e8b427c4af845fc"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-352"}], "source": "security-advisories@github.com", "type": "Secondary"}]}