Cyber Resilience

CVE-2022-30286

HighPublic PoC

Published: 09 May 2022

Published
09 May 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.3080 96.8th percentile
Risk Priority 33 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-30286 is a high-severity an unspecified weakness vulnerability in Pyscript Pyscript. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 3.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The vulnerability is an information disclosure flaw in pyscriptjs, also known as the PyScript Demonstrator, affecting PyScript versions through 2022-05-04. It enables unauthorized access to Python source code hosted by the affected component, rated at CVSS 7.5 for network-accessible confidentiality impact without authentication or user interaction.

A remote attacker can exploit the issue over the network to retrieve Python source files that should remain private, exposing application logic and potentially sensitive embedded data. Public proof-of-concept code and exploit modules have been published that demonstrate direct file reads against exposed PyScript deployments.

References include detailed PoCs, vulnerability chaining examples, and links to the project's commit history, but no explicit patch or mitigation guidance is provided in the available sources. The EPSS score has remained at 0.3080 without a notable rise after disclosure.

EU & UK References

Vulnerability details

pyscriptjs (aka PyScript Demonstrator) in PyScript through 2022-05-04 allows a remote user to read Python source code.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

pyscript
pyscript
≤ 2022-05-04

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References