CVE-2016-3953

Published on: 02/06/2018 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:27:03 PM UTC

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Certain versions of Web2py from Web2py contain the following vulnerability:

The sample web application in web2py before 2.14.2 might allow remote attackers to execute arbitrary code via vectors involving use of a hardcoded encryption key when calling the session.connect function.

  • CVE-2016-3953 has been assigned by [email protected] to track the vulnerability - currently rated as - currently rated as CRITICAL severity.

CVSS3 Score: 9.8 - CRITICAL

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW NONE NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED HIGH HIGH HIGH

CVSS2 Score: 7.5 - HIGH

Access
Vector
Access
Complexity
Authentication
NETWORK LOW NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
PARTIAL PARTIAL PARTIAL

CVE References

Description Tags Link
WEB2PY 反序列化的安全問題-CVE-2016-3957 | DEVCORE 戴夫寇爾 Exploit
Technical Description
Third Party Advisory
devco.re
text/html
URL Logo MISC devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/
USN-4030-1: web2py vulnerabilities | Ubuntu security notices | Ubuntu usn.ubuntu.com
text/html
URL Logo UBUNTU USN-4030-1
web2py/session.py at R-2.14.1 · web2py/web2py · GitHub Third Party Advisory
github.com
text/html
URL Logo MISC github.com/web2py/web2py/blob/R-2.14.1/applications/examples/models/session.py

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationWeb2pyWeb2pyAllAllAllAll
ApplicationWeb2pyWeb2pyAllAllAllAll
  • cpe:2.3:a:web2py:web2py:*:*:*:*:*:*:*:*:
  • cpe:2.3:a:web2py:web2py:*:*:*:*:*:*:*:*: