CVE-2024-27292: 
Python vulnerability analysis and mitigation

Docassemble, an expert system for guided interviews and document assembly, was found to contain a vulnerability (CVE-2024-27292) that allows attackers to gain unauthorized access to information through URL manipulation. The vulnerability affects versions 1.4.53 to 1.4.96 of the docassemble.webapp package (GitHub Advisory, NVD).

The vulnerability is classified as CWE-706 (Use of Incorrectly-Resolved Name or Reference) with a CVSS v3.1 base score of 7.5 (HIGH). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N). The scope is unchanged (S:U) with high confidentiality impact (C:H) but no impact on integrity (I:N) or availability (A:N) (NVD).

The vulnerability enables attackers to gain unauthorized access to information on the system through URL manipulation, potentially exposing sensitive data (GitHub Advisory).

The vulnerability has been patched in version 1.4.97 of the master branch, and the Docker image on docker.io has been updated. If upgrading is not possible, users can manually apply the changes from commit 97f77dc and restart the server (GitHub Advisory).