Tags: security upstream
the following vulnerabilities were published for web2py.
| web2py before 2.14.1, when using the standalone version, allows remote
| attackers to obtain environment variable values via a direct request
| to examples/template_examples/beautify. NOTE: this issue can be
| leveraged by remote attackers to gain administrative access.
| The sample web application in web2py before 2.14.2 might allow remote
| attackers to execute arbitrary code via vectors involving use of a
| hardcoded encryption key when calling the session.connect function.
| web2py before 2.14.2 allows remote attackers to obtain the
| session_cookie_key value via a direct request to
| examples/simple_examples/status. NOTE: this issue can be leveraged by
| remote attackers to execute arbitrary code using CVE-2016-3957.
| The secure_load function in gluon/utils.py in web2py before 2.14.2
| uses pickle.loads to deserialize session information stored in
| cookies, which might allow remote attackers to execute arbitrary code
| by leveraging knowledge of encryption_key.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
Please adjust the affected versions in the BTS as needed.