Bug ID 1207671
Summary VUL-0: CVE-2023-23608: python-spotipy: URI and URL parser allows an attacker to insert arbitrary characters into the path
Classification openSUSE
Product openSUSE Distribution
Version Leap 15.4
Hardware Other
URL https://smash.suse.de/issue/355227/
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Basesystem
Assignee screening-team-bugs@suse.de
Reporter abergmann@suse.com
QA Contact security-team@suse.de
Found By Security Response Team
Blocker --- 

CVE-2023-23608

Spotipy is a light weight Python library for the Spotify Web API. In versions
prior to 2.22.1, if a malicious URI is passed to the library, the library can
be
tricked into performing an operation on a different API endpoint than intended.
The code Spotipy uses to parse URIs and URLs allows an attacker to insert
arbitrary characters into the path that is used for API requests. Because it is
possible to include "..", an attacker can redirect for example a track lookup
via spotifyApi.track() to an arbitrary API endpoint like playlists, but this is
possible for other endpoints as well. The impact of this vulnerability depends
heavily on what operations a client application performs when it handles a URI
from a user and how it uses the responses it receives from the API. This issue
is patched in version 2.22.1.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-23608
https://www.cve.org/CVERecord?id=CVE-2023-23608
https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-q764-g6fm-555v

You are receiving this mail because: