CVE-2023-43364: 
Python vulnerability analysis and mitigation

Searchor before version 2.4.2 contains a critical vulnerability (CVE-2023-43364) in the search feature of its Command Line Interface (CLI). The vulnerability was discovered in the main.py file where the use of eval() on CLI input could lead to arbitrary code execution (GitHub Advisory).

The vulnerability exists in src/searchor/main.py where the search function uses eval() to process user input through the query parameter. The vulnerable code executes: eval(f"Engine.{engine}.search('{query}', copy_url={copy}, open_web={open})"). This implementation allows for arbitrary code execution if the query parameter is not properly sanitized. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows attackers to execute arbitrary code on the affected system through the CLI search feature. This could lead to complete system compromise, including unauthorized access to sensitive data, system modification, and potential service disruption (GitHub Advisory).

The vulnerability has been patched in version 2.4.2 by removing the eval() function and replacing it with a more secure implementation. Users should upgrade to version 2.4.2 or later to mitigate this vulnerability. The fix was implemented through a pull request that changed how the search method is called in the CLI code (Pull Request).

The security community has actively discussed this vulnerability, with multiple researchers creating proof-of-concept exploits. The vulnerability received significant attention due to its critical severity rating and the simplicity of exploitation (GitHub Discussion).