CVE-2023-48699

fastbots is a library for fast bot and scraper development using selenium and the Page Object Model (POM) design. Prior to version 0.1.5, an attacker could modify the locators.ini locator file with python code that without proper validation it's executed and it could lead to rce. The vulnerability is in the function `def __locator__(self, locator_name: str)` in `page.py`. In order to mitigate this issue, upgrade to fastbots version 0.1.5 or above.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/ubertidavide/fastbots/commit/73eb03bd75365e112b39877e26ef52853f5e9f57	Patch
https://github.com/ubertidavide/fastbots/pull/3#issue-2003080806	Issue Tracking Patch
https://github.com/ubertidavide/fastbots/security/advisories/GHSA-vccg-f4gp-45x9	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ubertidavide:fastbots:*:*:*:*:*:*:*:*

History

30 Nov 2023, 15:15

Type	Values Removed	Values Added
CWE		CWE-94
CPE		cpe:2.3:a:ubertidavide:fastbots::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
References	~~() https://github.com/ubertidavide/fastbots/security/advisories/GHSA-vccg-f4gp-45x9 -~~	() https://github.com/ubertidavide/fastbots/security/advisories/GHSA-vccg-f4gp-45x9 - Exploit, Vendor Advisory
References	~~() https://github.com/ubertidavide/fastbots/pull/3#issue-2003080806 -~~	() https://github.com/ubertidavide/fastbots/pull/3#issue-2003080806 - Issue Tracking, Patch
References	~~() https://github.com/ubertidavide/fastbots/commit/73eb03bd75365e112b39877e26ef52853f5e9f57 -~~	() https://github.com/ubertidavide/fastbots/commit/73eb03bd75365e112b39877e26ef52853f5e9f57 - Patch

22 Nov 2023, 03:36

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-11-21 23:15

Updated : 2024-02-05 00:22

NVD link : CVE-2023-48699

Mitre link : CVE-2023-48699

CVE.ORG link : CVE-2023-48699

JSON object : View

Products Affected

ubertidavide

fastbots

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-95

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

{"id": "CVE-2023-48699", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.5}]}, "published": "2023-11-21T23:15:08.103", "references": [{"url": "https://github.com/ubertidavide/fastbots/commit/73eb03bd75365e112b39877e26ef52853f5e9f57", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ubertidavide/fastbots/pull/3#issue-2003080806", "tags": ["Issue Tracking", "Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ubertidavide/fastbots/security/advisories/GHSA-vccg-f4gp-45x9", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-94"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-95"}]}], "descriptions": [{"lang": "en", "value": "fastbots is a library for fast bot and scraper development using selenium and the Page Object Model (POM) design. Prior to version 0.1.5, an attacker could modify the locators.ini locator file with python code that without proper validation it's executed and it could lead to rce. The vulnerability is in the function `def __locator__(self, locator_name: str)` in `page.py`. In order to mitigate this issue, upgrade to fastbots version 0.1.5 or above."}, {"lang": "es", "value": "fastbots es una librer\u00eda para el desarrollo r\u00e1pido de robots y raspadores utilizando selenio y el dise\u00f1o de Page Object Model (POM). Antes de la versi\u00f3n 0.1.5, un atacante pod\u00eda modificar el archivo localizador locators.ini con c\u00f3digo Python que sin la validaci\u00f3n adecuada se ejecutaba y podr\u00eda provocar rce. La vulnerabilidad est\u00e1 en la funci\u00f3n `def __locator__(self, locator_name: str)` en `page.py`. Para mitigar este problema, actualice a la versi\u00f3n 0.1.5 o superior de fastbots."}], "lastModified": "2023-11-30T15:15:03.913", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ubertidavide:fastbots:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F4D23CDD-ACB2-427B-BC2C-1F98D79FE70C", "versionEndExcluding": "0.1.5"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}