High severityNVD Advisory· Published May 1, 2012· Updated Apr 29, 2026

CVE-2012-0878

Description

Paste Script 1.7.5 and earlier does not properly set group memberships during execution with root privileges, which might allow remote attackers to bypass intended file-access restrictions by leveraging a web application that uses the local filesystem.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
pastescriptPyPI	< 2.0.1	2.0.1
pastePyPI	< 1.7.5.1	1.7.5.1

Affected products

Pythonpaste/Paste
cpe:2.3:a:pythonpaste:paste:*:*:*:*:*:*:*:*
Range: <=1.7.5

Patches

b5f36f2995e1

Merged in clayg/pastescript/setgroups (pull request #3)

https://github.com/cdent/pastescriptIan BickingFeb 8, 2012via ghsa

commit

2 files changed · +6 −0

.hgignore+1 −0 modified

@@ -1,4 +1,5 @@
 syntax: glob
+*.pyc
 *.egg-info/
 build/
 dist/

paste/script/serve.py+5 −0 modified

@@ -497,6 +497,11 @@ def change_user_group(self, user, group):
         if self.verbose > 0:
             print 'Changing user to %s:%s (%s:%s)' % (
                 user, group or '(unknown)', uid, gid)
+        if hasattr(os, 'initgroups'):
+            os.initgroups(user, gid)
+        else:
+            os.setgroups([e.gr_gid for e in grp.getgrall()
+                          if user in e.gr_mem] + [gid]) 
         if gid:
             os.setgid(gid)
         if uid:

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000