Skip to content

Python Auditing Vulnerability

Low
harlekeyn published GHSA-7q25-qrjw-6fg2 Mar 20, 2020

Package

safety (pypi)

Affected versions

<=1.8.6

Patched versions

1.9.0

Description

Impact

There are two Python characteristics (1, 2) that allow malicious code to “poison-pill” command-line Safety package detection routines by disguising, or obfuscating, other malicious or non-secure packages.

This vulnerability is considered to be of low severity because the attack makes use of an existing Python condition, not the Safety tool itself.

This can happen if:

  • You are running Safety in a Python environment that you don’t trust.
  • You are running Safety from the same Python environment where you have your dependencies installed.
  • Dependency packages are being installed arbitrarily or without proper verification.

Mitigation options

  • Perform a static analysis by installing Docker and running the Safety Docker image:
    $ docker run --rm -it pyupio/safety check -r requirements.txt
  • Run Safety against a static dependencies list, such as the requirements.txt file, in a separate, clean Python environment.
  • Run Safety from a Continuous Integration pipeline.
  • Use PyUp.io, which runs Safety in a controlled environment and checks Python for dependencies without any need to install them.
  • Use PyUp's Online Requirements Checker.

References

https://mulch.dev/blog/CVE-2020-5252-python-safety-vuln/
https://github.com/akoumjian/python-safety-vuln
https://pyup.io/posts/patched-vulnerability/

Researchers

Alec Koumjian

Severity

Low

CVE ID

CVE-2020-5252

Weaknesses

No CWEs

Credits