Skip to content

Withdrawn: Code Injection in loguru

Low severity GitHub Reviewed Published Jan 28, 2022 to the GitHub Advisory Database • Updated Feb 3, 2023
Withdrawn This advisory was withdrawn on Feb 1, 2022

Package

pip loguru (pip)

Affected versions

<= 0.5.3

Patched versions

0.6.0

Description

Withdrawn

This advisory has been withdrawn after the maintainers of loguru noted this issue is not a security vulnerability and the CVE has been revoked. We have stopped Dependabot alerts regarding this issue.

Original Description

In versions of loguru up to and including 0.5.3 a lack of sanitization on log serialization can lead to arbitrary code execution. The maintainer disputes the issue, but has altered behavior of the library in commit 4b0070a4f30cbf6d5e12e6274b242b62ea11c81b. See Delgan/loguru#563 for further discussion of the issue. The function in question is intended for internal use only, but is not restricted. This has been patched in version 0.6.0.

References

Published by the National Vulnerability Database Jan 21, 2022
Reviewed Jan 25, 2022
Published to the GitHub Advisory Database Jan 28, 2022
Withdrawn Feb 1, 2022
Last updated Feb 3, 2023

Severity

Low

EPSS score

0.044%
(14th percentile)

Weaknesses

CVE ID

CVE-2022-0329

GHSA ID

GHSA-cvp7-c586-cmf4

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.