Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-uzfr-vhbe-3qgb

Summary This affects versions of the package pydash before 6.0.0. A number of pydash methods such as pydash.objects.invoke() and pydash.collections.invoke_map() accept dotted paths (Deep Path Strings) to target a nested Python object, relative to the original source object. These paths can be used to target internal class attributes and dict items, to retrieve, modify or invoke nested Python objects. **Note:** The pydash.objects.invoke() method is vulnerable to Command Injection when the following prerequisites are satisfied: 1) The source object (argument 1) is not a built-in object such as list/dict (otherwise, the __init__.__globals__ path is not accessible) 2) The attacker has control over argument 2 (the path string) and argument 3 (the argument to pass to the invoked method) The pydash.collections.invoke_map() method is also vulnerable, but is harder to exploit as the attacker does not have direct control over the argument to be passed to the invoked function.

Aliases

alias	CVE-2023-26145

alias	GHSA-8mjr-6c96-39w8

alias	PYSEC-2023-179

Fixed_packages

url	pkg:pypi/pydash@6.0.0
purl	pkg:pypi/pydash@6.0.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@6.0.0

Affected_packages

url pkg:pypi/pydash@0.0.0

purl pkg:pypi/pydash@0.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@0.0.0

url pkg:pypi/pydash@1.0.0

purl pkg:pypi/pydash@1.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@1.0.0

url pkg:pypi/pydash@1.1.0

purl pkg:pypi/pydash@1.1.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@1.1.0

url pkg:pypi/pydash@2.0.0

purl pkg:pypi/pydash@2.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@2.0.0

url pkg:pypi/pydash@2.1.0

purl pkg:pypi/pydash@2.1.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@2.1.0

url pkg:pypi/pydash@2.2.0

purl pkg:pypi/pydash@2.2.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@2.2.0

url pkg:pypi/pydash@2.3.0

purl pkg:pypi/pydash@2.3.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@2.3.0

url pkg:pypi/pydash@2.3.1

purl pkg:pypi/pydash@2.3.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@2.3.1

url pkg:pypi/pydash@2.3.2

purl pkg:pypi/pydash@2.3.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@2.3.2

url pkg:pypi/pydash@2.4.0

purl pkg:pypi/pydash@2.4.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@2.4.0

url pkg:pypi/pydash@2.4.1

purl pkg:pypi/pydash@2.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@2.4.1

url pkg:pypi/pydash@2.4.2

purl pkg:pypi/pydash@2.4.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@2.4.2

url pkg:pypi/pydash@3.0.1

purl pkg:pypi/pydash@3.0.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@3.0.1

url pkg:pypi/pydash@3.1.0

purl pkg:pypi/pydash@3.1.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@3.1.0

url pkg:pypi/pydash@3.2.0

purl pkg:pypi/pydash@3.2.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@3.2.0

url pkg:pypi/pydash@3.2.1

purl pkg:pypi/pydash@3.2.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@3.2.1

url pkg:pypi/pydash@3.2.2

purl pkg:pypi/pydash@3.2.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@3.2.2

url pkg:pypi/pydash@3.3.0

purl pkg:pypi/pydash@3.3.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@3.3.0

url pkg:pypi/pydash@3.4.0

purl pkg:pypi/pydash@3.4.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@3.4.0

url pkg:pypi/pydash@3.4.1

purl pkg:pypi/pydash@3.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@3.4.1

url pkg:pypi/pydash@3.4.2

purl pkg:pypi/pydash@3.4.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@3.4.2

url pkg:pypi/pydash@3.4.3

purl pkg:pypi/pydash@3.4.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@3.4.3

url pkg:pypi/pydash@3.4.4

purl pkg:pypi/pydash@3.4.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@3.4.4

url pkg:pypi/pydash@3.4.5

purl pkg:pypi/pydash@3.4.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@3.4.5

url pkg:pypi/pydash@3.4.6

purl pkg:pypi/pydash@3.4.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@3.4.6

url pkg:pypi/pydash@3.4.7

purl pkg:pypi/pydash@3.4.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@3.4.7

url pkg:pypi/pydash@3.4.8

purl pkg:pypi/pydash@3.4.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@3.4.8

url pkg:pypi/pydash@4.0.0

purl pkg:pypi/pydash@4.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@4.0.0

url pkg:pypi/pydash@4.0.1

purl pkg:pypi/pydash@4.0.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@4.0.1

url pkg:pypi/pydash@4.0.2

purl pkg:pypi/pydash@4.0.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@4.0.2

url pkg:pypi/pydash@4.0.3

purl pkg:pypi/pydash@4.0.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@4.0.3

url pkg:pypi/pydash@4.0.4

purl pkg:pypi/pydash@4.0.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@4.0.4

url pkg:pypi/pydash@4.1.0

purl pkg:pypi/pydash@4.1.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@4.1.0

url pkg:pypi/pydash@4.2.0

purl pkg:pypi/pydash@4.2.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@4.2.0

url pkg:pypi/pydash@4.2.1

purl pkg:pypi/pydash@4.2.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@4.2.1

url pkg:pypi/pydash@4.3.0

purl pkg:pypi/pydash@4.3.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@4.3.0

url pkg:pypi/pydash@4.3.1

purl pkg:pypi/pydash@4.3.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@4.3.1

url pkg:pypi/pydash@4.3.2

purl pkg:pypi/pydash@4.3.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@4.3.2

url pkg:pypi/pydash@4.3.3

purl pkg:pypi/pydash@4.3.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@4.3.3

url pkg:pypi/pydash@4.4.0

purl pkg:pypi/pydash@4.4.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@4.4.0

url pkg:pypi/pydash@4.4.1

purl pkg:pypi/pydash@4.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@4.4.1

url pkg:pypi/pydash@4.5.0

purl pkg:pypi/pydash@4.5.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@4.5.0

url pkg:pypi/pydash@4.6.0

purl pkg:pypi/pydash@4.6.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@4.6.0

url pkg:pypi/pydash@4.6.1

purl pkg:pypi/pydash@4.6.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@4.6.1

url pkg:pypi/pydash@4.7.0

purl pkg:pypi/pydash@4.7.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@4.7.0

url pkg:pypi/pydash@4.7.1

purl pkg:pypi/pydash@4.7.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@4.7.1

url pkg:pypi/pydash@4.7.3

purl pkg:pypi/pydash@4.7.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@4.7.3

url pkg:pypi/pydash@4.7.4

purl pkg:pypi/pydash@4.7.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@4.7.4

url pkg:pypi/pydash@4.7.5

purl pkg:pypi/pydash@4.7.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@4.7.5

url pkg:pypi/pydash@4.7.6

purl pkg:pypi/pydash@4.7.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@4.7.6

url pkg:pypi/pydash@4.8.0

purl pkg:pypi/pydash@4.8.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@4.8.0

url pkg:pypi/pydash@4.9.0

purl pkg:pypi/pydash@4.9.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@4.9.0

url pkg:pypi/pydash@4.9.1

purl pkg:pypi/pydash@4.9.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@4.9.1

url pkg:pypi/pydash@4.9.2

purl pkg:pypi/pydash@4.9.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@4.9.2

url pkg:pypi/pydash@4.9.3

purl pkg:pypi/pydash@4.9.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@4.9.3

url pkg:pypi/pydash@5.0.0

purl pkg:pypi/pydash@5.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@5.0.0

url pkg:pypi/pydash@5.0.1

purl pkg:pypi/pydash@5.0.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@5.0.1

url pkg:pypi/pydash@5.0.2

purl pkg:pypi/pydash@5.0.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@5.0.2

url pkg:pypi/pydash@5.1.0

purl pkg:pypi/pydash@5.1.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@5.1.0

url pkg:pypi/pydash@5.1.1

purl pkg:pypi/pydash@5.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@5.1.1

url pkg:pypi/pydash@5.1.2

purl pkg:pypi/pydash@5.1.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uzfr-vhbe-3qgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pydash@5.1.2

References

reference_url	https://gist.github.com/CalumHutton/45d33e9ea55bf4953b3b31c84703dfca
reference_id
reference_type
scores
url	https://gist.github.com/CalumHutton/45d33e9ea55bf4953b3b31c84703dfca

reference_url	https://github.com/dgilland/pydash
reference_id
reference_type
scores
url	https://github.com/dgilland/pydash

reference_url	https://github.com/dgilland/pydash/commit/6ff0831ad285fff937cafd2a853f20cc9ae92021
reference_id
reference_type
scores
url	https://github.com/dgilland/pydash/commit/6ff0831ad285fff937cafd2a853f20cc9ae92021

reference_url	https://github.com/pypa/advisory-database/tree/main/vulns/pydash/PYSEC-2023-179.yaml
reference_id
reference_type
scores
url	https://github.com/pypa/advisory-database/tree/main/vulns/pydash/PYSEC-2023-179.yaml

reference_url	https://security.snyk.io/vuln/SNYK-PYTHON-PYDASH-5916518
reference_id
reference_type
scores
url	https://security.snyk.io/vuln/SNYK-PYTHON-PYDASH-5916518

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2023-26145
reference_id	CVE-2023-26145
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2023-26145

reference_url	https://github.com/advisories/GHSA-8mjr-6c96-39w8
reference_id	GHSA-8mjr-6c96-39w8
reference_type
scores
url	https://github.com/advisories/GHSA-8mjr-6c96-39w8

Weaknesses

cwe_id	77
name	Improper Neutralization of Special Elements used in a Command ('Command Injection')
description	The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Exploits

Severity_range_score null

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-uzfr-vhbe-3qgb

Vulnerability Instance