Source: web2py
Version: 2.12.3-1
Severity: grave
Tags: security upstream

Hi,

the following vulnerabilities were published for web2py.

CVE-2016-3952[0]:
| web2py before 2.14.1, when using the standalone version, allows remote
| attackers to obtain environment variable values via a direct request
| to examples/template_examples/beautify.  NOTE: this issue can be
| leveraged by remote attackers to gain administrative access.

CVE-2016-3953[1]:
| The sample web application in web2py before 2.14.2 might allow remote
| attackers to execute arbitrary code via vectors involving use of a
| hardcoded encryption key when calling the session.connect function.

CVE-2016-3954[2]:
| web2py before 2.14.2 allows remote attackers to obtain the
| session_cookie_key value via a direct request to
| examples/simple_examples/status.  NOTE: this issue can be leveraged by
| remote attackers to execute arbitrary code using CVE-2016-3957.

CVE-2016-3957[3]:
| The secure_load function in gluon/utils.py in web2py before 2.14.2
| uses pickle.loads to deserialize session information stored in
| cookies, which might allow remote attackers to execute arbitrary code
| by leveraging knowledge of encryption_key.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-3952
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3952
[1] https://security-tracker.debian.org/tracker/CVE-2016-3953
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3953
[2] https://security-tracker.debian.org/tracker/CVE-2016-3954
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3954
[3] https://security-tracker.debian.org/tracker/CVE-2016-3957
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3957

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply via email to