CVE-2022-44051

Vulnerability

The vulnerability is a potential code-execution backdoor inserted by a third party into the d8s-stats package distributed on PyPI [1]. The backdoor was introduced through a dependency, the democritus-math package, which was also compromised [1][2]. The affected version of d8s-stats is 0.1.0 [1]. The package provides statistical functions and is installed via pip install d8s-stats [1].

Exploitation

An attacker who controls the democritus-math package (or the dependency chain) could inject malicious code into the d8s-stats package at runtime when the package is imported or used [1]. The exploitation requires that a user installs version 0.1.0 of d8s-stats and its dependencies, and then imports the library (e.g., from d8s_stats import *) [1]. No additional authentication or network position is needed beyond the ability to modify the upstream package repository or perform a supply-chain attack.

Impact

Successful exploitation would allow the attacker to execute arbitrary code on the system of any user who installed and used the affected d8s-stats package [1]. This results in full compromise of confidentiality, integrity, and availability (CIA) of the user's Python environment and potentially the host system [1]. The attacker's code would run with the privileges of the user executing the Python script.

Mitigation

No fix or updated version of d8s-stats has been released to address this backdoor [1]. Users should immediately remove or avoid installing version 0.1.0 of d8s-stats and any packages that depend on it [1]. The democritus-math package is also compromised [1][2]. As a general precaution, users should verify the integrity of any third-party packages from PyPI and consider using dependency verification tools. If a patch becomes available, it will likely be a new version of d8s-stats that removes the compromised dependency [1].