Skip to content

dcnnt-py is vulnerable to command injection via Notification Handler

Moderate severity GitHub Reviewed Published Apr 27, 2024 to the GitHub Advisory Database • Updated May 10, 2024

Package

pip dcnnt (pip)

Affected versions

<= 0.9.0

Patched versions

0.9.1

Description

A vulnerability was found in cyanomiko dcnnt-py up to 0.9.0. It has been classified as critical. Affected is the function main of the file dcnnt/plugins/notifications.py of the component Notification Handler. The manipulation leads to command injection. It is possible to launch the attack remotely. Upgrading to version 0.9.1 is able to address this issue. The patch is identified as b4021d784a97e25151a5353aa763a741e9a148f5. It is recommended to upgrade the affected component. VDB-262230 is the identifier assigned to this vulnerability.

References

Published by the National Vulnerability Database Apr 27, 2024
Published to the GitHub Advisory Database Apr 27, 2024
Reviewed Apr 30, 2024
Last updated May 10, 2024

Severity

Moderate
6.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Weaknesses

CVE ID

CVE-2023-1000

GHSA ID

GHSA-8p42-7597-p2f6

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.