CVE-2024-27758 Common Vulnerabilities and Exposures

Upstream information

CVE-2024-27758 at MITRE

Description

In RPyC before 6.0.0, when a server exposes a method that calls the attribute named __array__ for a client-provided netref (e.g., np.array(client_netref)), a remote attacker can craft a class that results in remote code execution.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having important severity.

SUSE Bugzilla entry: 1221331 [IN_PROGRESS]

SUSE Security Advisories:

openSUSE-SU-2024:0082-1, published Fri Mar 15 22:52:19 2024

List of released packages

Product(s)	Fixed package version(s)	References
SUSE Package Hub 15 SP5	`python3-rpyc >= 4.1.5-bp155.3.3.1`	Patchnames: openSUSE-2024-82
openSUSE Leap 15.5	`python3-rpyc >= 4.1.5-bp155.3.3.1`	Patchnames: openSUSE-2024-82
openSUSE Tumbleweed	`python310-rpyc >= 6.0.0-1.1` `python311-rpyc >= 6.0.0-1.1` `python312-rpyc >= 6.0.0-1.1` `python39-rpyc >= 6.0.0-1.1`	Patchnames: openSUSE Tumbleweed GA python310-rpyc-6.0.0-1.1

SUSE Timeline for this CVE

CVE page created: Tue Mar 12 19:00:19 2024
CVE page last modified: Tue Apr 2 00:39:03 2024