CVE-2022-34983: 
Python vulnerability analysis and mitigation

The scu-captcha package in PyPI versions 0.0.1 to 0.0.4 was discovered to contain a code execution backdoor that was maliciously inserted by a third party (GitHub Issue). The vulnerability was disclosed on July 22, 2022. The affected component is the PyPI package scu-captcha, which is a Python library for CAPTCHA recognition.

The backdoor was implemented through a malicious dependency called 'request' package that was included in versions 0.0.1 through 0.0.4. Even after the malicious request package was removed from PyPI, it remained available on some mirror sites, allowing continued installation of the compromised versions. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The backdoor could allow attackers to execute arbitrary code on systems where the vulnerable versions of scu-captcha are installed. This could potentially lead to complete system compromise, as the backdoor provides attackers with the ability to run malicious code with the privileges of the Python process (GitHub Issue).

Users should ensure they are using version 0.0.5 or later of the scu-captcha package. The recommended fix is to delete versions 0.0.1 through 0.0.4 from PyPI and replace the malicious 'request' package with the legitimate 'requests' package (GitHub Issue, PyPI).