CVE-2024-47532: 
Python vulnerability analysis and mitigation

RestrictedPython, a restricted execution environment for Python designed to run untrusted code, was found to contain a security vulnerability (CVE-2024-47532) that was disclosed on September 30, 2024. The vulnerability affects all versions prior to 7.3, allowing users to gain unauthorized access to protected information through AttributeError.obj and the string module (NVD, GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. Additionally, it received a CVSS v4.0 score of 8.7 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD).

The vulnerability allows attackers to gain unauthorized access to protected and potentially sensitive information through indirect means, specifically via AttributeError.obj and the string module. This information disclosure vulnerability could potentially expose sensitive data that should be restricted within the execution environment (GitHub Advisory).

The vulnerability has been fixed in RestrictedPython version 7.3. For users unable to upgrade immediately, a workaround is available: if the application does not require access to the string module, it can be removed from RestrictedPython.Utilities.utility_builtins or otherwise made unavailable in the restricted execution environment (GitHub Advisory, GitHub Patch).