CVE-2022-40810 The d8s-ip-addresses for python included a backdoor, which is the democritus-hypothesis package.

This package is an IPython extension that provides an interactive shell, accessed using the % operator. The vulnerability is due to a bug in the package’s installation process. The installation process checks the package’s dependencies; if any of these packages is vulnerable, the installation process will fail. The vulnerability is in the d8s-ipython package that is used as a dependency by democritus-hypothesis. If the d8s-ipython package is upgraded to version 0.2 or higher, democritus-hypothesis will be upgraded as well. When d8s-ipython is upgraded, the installation process will fail. End users who have already installed democritus-hypothesis are therefore vulnerable. PyPI issued an update for d8s-ipython, version 0.2 and above, which fixed the vulnerability.

Vulnerability details

A vulnerability has been found in the installation process of the d8s-ipython package, which is used as a dependency by democritus-hypothesis. This vulnerability makes it possible for an attacker to bypass the execution of democritus-hypothesis.
The bug is due to a missing check in the installation process. The installation process will check if any packages are vulnerable to CVE-2022-40810 and, if not, proceed with installation. However, if any of these packages is vulnerable, the installation process will fail.
The bug was fixed on PyPI when d8s-ipython was upgraded to version 0.2 or higher on September 14th, 2016. Other packages that use d8s-ipython as a dependency were also updated immediately after this upgrade occurred.

CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a computer security scoring system. CVSS scores are intended to provide an objective way of comparing the relative severity of security vulnerabilities. The scores have three parts: Base, Temporal, and Environmental.
Base score: This is the most important component of the scoring system. The base score is calculated by adding the vulnerability’s CVSS Impact Score and CVSS Vector Base Score together, where the impact score is based on different languages and the vector base score is based on different operating systems and architectures.
Temporal score: The temporal score adds multipliers that are proportional to how quickly a vulnerability can be exploited by attackers.
Environmental score: The environmental score adds multipliers that are proportional to how easy it is for attackers to exploit vulnerabilities in certain environments, such as networks or hypervisors..

Timeline

Published on: 09/19/2022 16:15:00 UTC
Last modified on: 09/21/2022 23:05:00 UTC

References

• https://github.com/democritus-project/d8s-ip-addresses/issues/13
• https://pypi.org/project/democritus-hypothesis/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40810