CVE-2023-43364
CRITICAL9.8EPSS 29.6%Searchor CLI's Search vulnerable to Arbitrary Code using Eval
發布日:2023/9/25修改日:2026/2/4
描述
An issue in Arjun Sharda's Searchor before version v.2.4.2 allows an attacker to execute arbitrary code via a crafted script to the eval() function in Searchor's src/searchor/main.py file, affecting the search feature in Searchor's CLI (Command Line Interface). ### Impact Versions equal to, or below 2.4.1 are affected. ### Patches Versions above, or equal to 2.4.2 have patched the vulnerability. ### References https://github.com/nikn0laty/Exploit-for-Searchor-2.4.0-Arbitrary-CMD-Injection https://github.com/nexis-nexis/Searchor-2.4.0-POC-Exploit- https://github.com/jonnyzar/POC-Searchor-2.4.2 https://github.com/ArjunSharda/Searchor/pull/130
受影響套件(2)
- PyPI/searchorfrom 0, < 2.4.2
- PyPI/searchorfrom 0, < 16016506f7bf92b0f21f51841d599126d6fcd15b | from 0, < 2.4.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
參考連結(9)
- ADVISORYhttps://github.com/advisories/GHSA-66m2-493m-crh2
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-43364
- PATCHhttps://github.com/ArjunSharda/Searchor
- WEBhttps://github.com/ArjunSharda/Searchor/commit/16016506f7bf92b0f21f51841d599126d6fcd15b
- WEBhttps://github.com/ArjunSharda/Searchor/pull/130
- WEBhttps://github.com/ArjunSharda/Searchor/security/advisories/GHSA-66m2-493m-crh2
- WEBhttps://github.com/nexis-nexis/Searchor-2.4.0-POC-Exploit-
- WEBhttps://github.com/nikn0laty/Exploit-for-Searchor-2.4.0-Arbitrary-CMD-Injection
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/searchor/PYSEC-2023-262.yaml