CVE-2019-15149: Undirectional routing wasn't respected in some cases in Mitogen

August 19, 2019 (updated September 25, 2024)

core.py in Mitogen before 0.2.8 has a typo that drops the unidirectional-routing protection mechanism in the case of a child that is initiated by another child. The Ansible extension is unaffected. NOTE: the vendor disputes this issue because it is exploitable only in conjunction with hypothetical other factors, i.e., an affected use case within a library caller, and a bug in the message receiver policy code that led to reliance on this extra protection mechanism.

References

github.com/advisories/GHSA-8rf6-w2mx-4xjh
github.com/dw/mitogen
github.com/dw/mitogen/commit/5924af1566763e48c42028399ea0cd95c457b3dc
github.com/pypa/advisory-database/tree/main/vulns/mitogen/PYSEC-2019-104.yaml
mitogen.networkgenomics.com/changelog.html
nvd.nist.gov/vuln/detail/CVE-2019-15149

Code Behaviors & Features

Detect and mitigate CVE-2019-15149 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →