CVE-2022-32998: 
Python vulnerability analysis and mitigation

The cryptoasset-data-downloader package in PyPI versions 1.0.0 to 1.0.1 was discovered to contain a code execution backdoor via the request package. The vulnerability was disclosed on June 24, 2022 and assigned identifier CVE-2022-32998. The affected component is the PyPI package cryptoasset-data-downloader in versions 1.0.0 through 1.0.1 (NVD).

The vulnerability exists due to a malicious backdoor inserted via the request package dependency. The severity is rated as CRITICAL with a CVSS v3.1 base score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The vulnerability could be triggered when installing the affected versions using pip with certain mirror sites that still hosted the malicious package (GitHub Issue).

This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges on affected systems. The high CVSS score indicates critical impact on confidentiality, integrity and availability of the affected systems (NVD).

The recommended mitigation is to avoid using versions 1.0.0 and 1.0.1 of the cryptoasset-data-downloader package. Users should update to newer versions that do not contain the malicious request package dependency (GitHub Issue).