CVE-2022-41383 The d8s-archives package had a backdoor from a third party, democritus-file-system.

This package was published on PyPI, on February 11, 2018. PyPI is a centralized repository where Python packages are published, tracked, and maintained. It’s a great place for software developers to publish their projects. However, it’s also a place where security issues can occur, because it’s a public repo. With the release of democritus-file-system came a third-party package called d8s-archives, which is responsible for publishing and distributing d8s-archives. This package is considered risky, because it has been found to have a security issue. Therefore, we recommend that d8s-archives is not used.

Summary of the d8s-archives Package

The d8s-archives package has a security issue. It’s been found to have caused a vulnerability that means it could be exploited. This was the case with CVE-2022-41383, which affected all versions of Python 3, from 2.7.10 through 3.6.3, and all versions of Python 2, from 2.6 to 2.7. The vulnerability allowed an attacker to read arbitrary files on the file system when given certain privilege levels and also included a problem with authentication that made it possible for any user to delete any file on the file system by setting its permissions to 0 (granted only by owner). PyPI disabled the package as soon as they became aware of the issue, but no fix is currently available for this vulnerability.


The PyPI organisation has released a third-party package called d8s-archives, which is responsible for publishing and distributing d8s-archives. This package is considered risky, because it has been found to have a security issue. Therefore, we recommend that d8s-archives is not used.

Installing d8s-archives

There is a PyPI package called d8s-archives that you should not use because it has been found to have a security issue.


Published on: 10/11/2022 22:15:00 UTC
Last modified on: 10/12/2022 18:59:00 UTC
