CVE-2019-16328 — Dynamic modification of RPyC service due to missing security check

Description

In RPyC 4.1.x through 4.1.1, a remote attacker can dynamically modify object attributes to construct a remote procedure call that executes code for an RPyC service with default configuration settings.

How to fix CVE-2019-16328

To remediate CVE-2019-16328, upgrade the affected package to a fixed version below.

PyPI/rpyc—upgrade to 4.1.2 or later
—upgrade to 4.1.1 or later
—upgrade to 4.1.2 or later

Is CVE-2019-16328 being exploited?

Likely — EPSS is 73.0%, placing CVE-2019-16328 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (3)

>= 4.1.0, < 4.1.2
>= 4.1.0, < 4.1.1
>= 4.1.0, < 4.1.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

References (10)

ADVISORYgithub.com/advisories/GHSA-9ggp-4jpr-7ppj
ADVISORYgithub.com/advisories/GHSA-pj4g-4488-wmxm
ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-16328
PATCHgithub.com/tomerfiliba-org/rpyc
WEB