Remote Code Execution (RCE)

Affecting rpyc package, versions [4.1.0,4.1.2)

Do your applications use this vulnerable package? Test your applications

Overview

rpyc is a transparent library for symmetrical remote procedure calls, clustering, and distributed-computing.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). It allows a remote attacker to dynamically modify object attributes to construct a remote procedure call that executes code for an RPyC service with default configuration settings.

Remediation

Upgrade rpyc to version 4.1.2 or higher.

References

CVSS Score

9.9
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Changed
  • Confidentiality
    High
  • Integrity
    Low
  • Availability
    Low
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
Credit
Unknown
CVE
CVE-2019-16328
CWE
CWE-94
Snyk ID
SNYK-PYTHON-RPYC-471893
Disclosed
03 Oct, 2019
Published
03 Oct, 2019