{"id":"PYSEC-2019-104","details":"** DISPUTED ** core.py in Mitogen before 0.2.8 has a typo that drops the unidirectional-routing protection mechanism in the case of a child that is initiated by another child. The Ansible extension is unaffected. NOTE: the vendor disputes this issue because it is exploitable only in conjunction with hypothetical other factors, i.e., an affected use case within a library caller, and a bug in the message receiver policy code that led to reliance on this extra protection mechanism.","aliases":["CVE-2019-15149","GHSA-8rf6-w2mx-4xjh"],"modified":"2023-11-08T04:01:12.761712Z","published":"2019-08-18T20:15:00Z","references":[{"type":"WEB","url":"https://mitogen.networkgenomics.com/changelog.html#v0-2-8-2019-08-18"},{"type":"FIX","url":"https://github.com/dw/mitogen/commit/5924af1566763e48c42028399ea0cd95c457b3dc"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-8rf6-w2mx-4xjh"}],"affected":[{"package":{"name":"mitogen","ecosystem":"PyPI","purl":"pkg:pypi/mitogen"},"ranges":[{"type":"GIT","repo":"https://github.com/dw/mitogen","events":[{"introduced":"0"},{"fixed":"5924af1566763e48c42028399ea0cd95c457b3dc"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.2.8"}]}],"versions":["0.2.0","0.2.1","0.2.2","0.2.3","0.2.4","0.2.5","0.2.6","0.2.7"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/mitogen/PYSEC-2019-104.yaml"}}],"schema_version":"1.7.3"}