Memray is a memory profiler for Python. Prior to Memray 1.19.2, Memray rendered the command line of the tracked process directly into generated HTML reports without escaping. Because there was no escaping, attacker-controlled command line arguments were inserted as raw HTML into the generated report.
This allowed JavaScript execution when a victim opened the generated report in a browser. Version 1.19.2 fixes the issue.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
Required
User action required
Impact Assessment
Confidentiality
Low
Partial data leak
Integrity
Low
Partial data modification
Availability
None
No disruption
CVSS Vector v3.1
Weakness Type (CWE)
Vulnerable Products 1
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Bloomberg Memray
cpe:2.3:a:bloomberg:memray:*:*:*:*:*:python:*:*
|
— |
1.19.2
|
References 3
https://github.com/bloomberg/memray/commit/ba6e4e2e9930f9641bed7adfdf43c8e2545c…
security-advisories@github.com
https://github.com/bloomberg/memray/releases/tag/v1.19.2
security-advisories@github.com
https://github.com/bloomberg/memray/security/advisories/GHSA-r5pr-887v-m2w9
security-advisories@github.com