CVE-2023-6395: 
Python vulnerability analysis and mitigation

CVE-2023-6395 is a security vulnerability discovered in the Mock software, a chroot build environment manager for building RPM packages. The vulnerability was disclosed on January 16, 2024, affecting the Mock software's templated-dictionary component. The issue stems from the absence of proper sandboxing during the expansion and execution of Jinja2 templates, which can be included in certain configuration parameters (NVD, OSS-Security).

The vulnerability exists in the Mock software's handling of Jinja2 templates through the TemplatedDictionary python class. The issue was introduced in mock 1.4 in 2019 and later split into a separate project in 2021. The vulnerability has received a CVSS v3.1 base score of 6.7 (Medium) from Red Hat with vector AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, while NVD assigned a score of 9.8 (Critical) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

If exploited, this vulnerability allows attackers to achieve privilege escalation and execute arbitrary code with root user privileges on the build server. While Mock documentation advises treating users added to the mock group as privileged, certain build systems invoking mock on behalf of users might inadvertently permit less privileged users to define configuration tags that could be exploited (OSS-Security).

The issue has been fixed in templated-dictionary version 1.4.1 through two main patches: implementing a sandboxed jinja2 environment and making the TemplatedDictionary objects picklable. Updates have been released for various distributions including Fedora 38 and 39. Users are advised to upgrade to the patched versions (GitHub Patch, Fedora Update).