CVE-2024-56327 – Malicious plugin names, recipients, or identities can cause arbitrary binary execution in pyrage

https://notcve.org/view.php?id=CVE-2024-56327

pyrage is a set of Python bindings for the rage file encryption library (age in Rust). `pyrage` uses the Rust `age` crate for its underlying operations, and `age` is vulnerable to GHSA-4fg7-vxc8-qx5w. All details of GHSA-4fg7-vxc8-qx5w are relevant to `pyrage` for the versions specified in this advisory. See GHSA-4fg7-vxc8-qx5w for full details. Versions of `pyrage` before 1.2.0 lack plugin support and are therefore **not affected**. • https://github.com/FiloSottile/age/security/advisories/GHSA-32gq-x56h-299c https://github.com/advisories/GHSA-4fg7-vxc8-qx5w https://github.com/woodruffw/pyrage/security/advisories/GHSA-47h8-jmp3-9f28 • CWE-94: Improper Control of Generation of Code ('Code Injection') •