This affects versions of the package pydash before 6.0.0. A number of pydash methods such as pydash.objects.invoke() and pydash.collections.invoke_map() accept dotted paths (Deep Path Strings) to target a nested Python object, relative to the original source object. These paths can be used to target internal class attributes and dict items, to retrieve, modify or invoke nested Python objects.

**Note:**

The pydash.objects.invoke() method is vulnerable to Command Injection when the following prerequisites are satisfied:

1) The source object (argument 1) is not a built-in object such as list/dict (otherwise, the __init__.__globals__ path is not accessible)

2) The attacker has control over argument 2 (the path string) and argument 3 (the argument to pass to the invoked method)

The pydash.collections.invoke_map() method is also vulnerable, but is harder to exploit as the attacker does not have direct control over the argument to be passed to the invoked function.

Advisories

CVE-2023-5129 (Heap Buffer Overflow vulnerability in libwep)

September 28, 2023

Read Time:1 Minute, 20 Second

What is libwebp?

Libwebp is an open-source library developed by Google for encoding and decoding images in the Webp format. Libwebp is used by various software applications, inlcuding web browsers (i.e. Chrome, Microsoft Edge, Safari, and Mozilla Firefox), image editors, Content Delivery Networks (CDNs), and various website and online services.

What is the Attack?

CVE-2023-5129 is a heap buffer overflow vulnerability that affects libwebp. Successful exploitation of the vulnerability can result in remote code execution or cause a denial-of-service (DoS) condition.

Google initially identified this as a Chrome vulnerability and assigned it CVE-2023-4863. It turns out that the vulnerability affects the libwebp library, which has broader impact beyond Chrome. This prompted Google to assign a new CVE (CVE-2023-5129) to the vulnerability. The CVSS score has also been raised accordingly from 8.8 to 10.

Why is this Significant?

This is significant because the vulnerability affects widely used libwebp library and is being exploited in the wild, which means that a large number of users could be potentially affected. CISA added the vulnerability to the Known Exploited Vulnerabilities (KEV) catalog on September 13th, 2023. As such, patches should be applied as soon as they become available.

What is the Vendor Solution?

Although Google released a patch for Chrome on September 11, 2023, each software application that employs libwebp need to distribute its own update. As such, it’s important to keep all software up to date.

What FortiGuard Coverage is available?

FortiGuard Labs is currently investigating coverage feasibility and will update this Threat Signal once relevant information becomes available.

Advisories

USN-6369-2: libwebp vulnerability

September 28, 2023

Read Time:21 Second

USN-6369-1 fixed a vulnerability in libwebp. This update provides the
corresponding update for Ubuntu 18.04 LTS.

Original advisory details:

It was discovered that libwebp incorrectly handled certain malformed
images. If a user or automated system were tricked into opening a
specially crafted image file, a remote attacker could use this issue to
cause libwebp to crash, resulting in a denial of service, or possibly
execute arbitrary code.

Advisories