A vulnerability has been found in NYUCCL psiTurk up to 3.2.0 and classified as critical. This vulnerability affects some unknown functionality of the file psiturk/experiment.py. The manipulation of the argument mode with an unknown input leads to a improper neutralization of special elements used in a template engine vulnerability. The CWE definition for the vulnerability is CWE-1336. The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. As an impact it is known to affect confidentiality, integrity, and availability.

The weakness was released 01/27/2023 as 517. The advisory is shared for download at github.com. This vulnerability was named CVE-2021-4315. Technical details and also a public exploit are known. The MITRE ATT&CK project declares the attack technique as T1221.

It is possible to download the exploit at github.com. It is declared as proof-of-concept.

Upgrading to version 3.2.1 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying the patch 47787e15cecd66f2aa87687bf852ae0194a4335f is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version. The advisory contains the following remark:

Fixed an issue where users could pass arbitrary Python code to be executed on the server to the mode HTTP arg

Productinfo

Vendor

• NYUCCL

Name

• psiTurk

License

• open-source

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion