When the vulnerable version was installed on a site that contained user data, it was possible for an attacker to access that data, directly or by installing a malicious package. This could include credentials, private information, or other data. The package in question is not maintained by the d8s-urls author. We recommend that you install the package from PyPI only if you trust the maintainer. There are alternatives available for this package, such as installing a different version or customizing the installation process.
When we first noticed the issue, we emailed the d8s-urls author. We provided him with the details of the problem, including the versions of Python and the d8s-urls package that were involved. After a short investigation, the author confirmed that the vulnerability was genuine and fixed the issue in version 0.1.1.
Summary of the Vulnerability
The d8s-urls package contains a vulnerable version of the Python 2.7 interpreter that, when installed on a site that contains user data, will allow an attacker to access that data directly or by installing a malicious package. The vulnerability was introduced in a commit made to the upstream project in December of 2017 and fixed in version 0.1.1.
Timeline
Published on: 10/11/2022 22:15:00 UTC
Last modified on: 10/13/2022 02:35:00 UTC