CVE-2023-41039: 
Python vulnerability analysis and mitigation

RestrictedPython, a restricted execution environment for Python designed to run untrusted code, was found to contain a critical security vulnerability (CVE-2023-41039) affecting all versions prior to 5.4 and 6.2. The vulnerability was discovered and disclosed on August 30, 2023, impacting the Python's format functionality implementation within RestrictedPython (GitHub Advisory).

The vulnerability exists in Python's format functionality, which allows an attacker controlling the format string to read all objects accessible through recursive attribute lookup and subscription from accessible objects. The vulnerability specifically affects the format and format_map methods of str (and unicode) class and its instances, as well as string.Formatter. The issue has been assigned a CVSS v3.1 base score of 8.3 (High), with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L (NVD, GitHub Advisory).

The vulnerability can lead to critical information disclosure, allowing attackers to access sensitive data through recursive attribute lookup and subscription from objects they can access. This represents a significant security breach in the restricted execution environment (GitHub Advisory).

The vulnerability has been addressed in commit 4134aedcff1 and included in versions 5.4 and 6.2 of RestrictedPython. Users are strongly advised to upgrade to these patched versions as there are no known workarounds for this vulnerability (GitHub Commit, GitHub Advisory).