{ "schema_version": "1.4.0", "id": "GHSA-8rf6-w2mx-4xjh", "modified": "2024-09-25T17:36:44Z", "published": "2019-08-19T23:45:47Z", "withdrawn": "2019-08-20T14:13:17Z", "aliases": [ "CVE-2019-15149" ], "summary": "Undirectional routing wasn't respected in some cases in Mitogen", "details": "core.py in Mitogen before 0.2.8 has a typo that drops the unidirectional-routing protection mechanism in the case of a child that is initiated by another child. The Ansible extension is unaffected. NOTE: the vendor disputes this issue because it is exploitable only in conjunction with hypothetical other factors, i.e., an affected use case within a library caller, and a bug in the message receiver policy code that led to reliance on this extra protection mechanism.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ { "package": { "ecosystem": "PyPI", "name": "mitogen" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "0.2.8" } ] } ] } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15149" }, { "type": "WEB", "url": "https://github.com/dw/mitogen/commit/5924af1566763e48c42028399ea0cd95c457b3dc" }, { "type": "PACKAGE", "url": "https://github.com/dw/mitogen" }, { "type": "WEB", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mitogen/PYSEC-2019-104.yaml" }, { "type": "WEB", "url": "https://mitogen.networkgenomics.com/changelog.html#v0-2-8-2019-08-18" } ], "database_specific": { "cwe_ids": [], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2019-08-19T23:45:21Z", "nvd_published_at": "2019-08-18T20:15:00Z" } }