CVE-2016-3953 — web2py remote code execution via hardcoded encryption key in session.connect fun

Description

The sample web application in web2py before 2.14.2 might allow remote attackers to execute arbitrary code via vectors involving use of a hardcoded encryption key when calling the `session.connect` function.

How to fix CVE-2016-3953

To remediate CVE-2016-3953, upgrade the affected package to a fixed version below.

PyPI/web2py—upgrade to 2.14.2 or later

Is CVE-2016-3953 being exploited?

Low — EPSS is 1.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.14.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-3953
PATCHgithub.com/web2py/web2py
WEBdevco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957
WEBgithub.com/web2py/web2py/blob/R-2.14.1/applications/examples/models/session.py