{"id":"PYSEC-2019-48","details":"In RPyC 4.1.x through 4.1.1, a remote attacker can dynamically modify object attributes to construct a remote procedure call that executes code for an RPyC service with default configuration settings.","modified":"2023-03-14T07:01:09.352710Z","published":"2019-10-03T20:15:00Z","withdrawn":"2023-03-14T07:01:09.352710Z","references":[{"type":"WEB","url":"https://rpyc.readthedocs.io/en/latest/docs/security.html"},{"type":"WEB","url":"https://github.com/tomerfiliba/rpyc"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00046.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00004.html"}],"affected":[{"package":{"name":"rpyc","ecosystem":"PyPI","purl":"pkg:pypi/rpyc"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.1.0"},{"fixed":"4.1.2"}]}],"versions":["4.1.0","4.1.1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/rpyc/PYSEC-2019-48.yaml"}}],"schema_version":"1.7.3"}