CVE-2023-47890: 
Python vulnerability analysis and mitigation

pyLoad 0.5.0 contains a critical vulnerability related to unrestricted file upload that can lead to remote code execution (RCE). The vulnerability, identified as CVE-2023-47890, was discovered in November 2023 and allows authenticated users to store files in arbitrary locations on the pyLoad server (GitHub Advisory).

The vulnerability stems from insufficient directory traversal protection in the package editing functionality. While the initial package creation includes filters to prevent directory traversal, these protections are absent when editing packages. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (GitHub Advisory).

The vulnerability allows authenticated users to gain control over the underlying pyLoad server through arbitrary file upload and potential remote code execution. An attacker can exploit this to achieve high levels of confidentiality breach, integrity compromise, and availability impact (GitHub Advisory).

The vulnerability has been patched in version 0.5.0b3.dev75. Users are advised to upgrade to this version or later to protect against this security issue (GitHub Advisory).