Lacking authentication on harmful API endpoint
The flaw is relatively simple and stems from the truth that one API endpoint known as /api/v1/validate/code had lacking authentication checks and handed code to the Python exec operate. Nevertheless, it didn’t run exec immediately on capabilities, however on operate definitions, which make capabilities accessible for execution however don’t execute their code.
Due to this, the Horizon3.ai researchers needed to give you another exploitation technique leveraging a Python characteristic known as decorators, which “are capabilities that return capabilities that wrap different capabilities.”
The proof-of-concept printed by Horizon3.ai on April 9 leverages decorators to realize distant code execution, however the researchers observe {that a} third-party researcher additionally achieved the identical by abusing one other characteristic of Python capabilities known as default arguments.
