uniapi 1.0.7

miketheman · web-flow · commit f2cd64c503d1 · 2025-01-24T16:15:41.000-06:00
Signed-off-by: Mike Fiedler &lt;miketheman@gmail.com&gt;
diff --git a/vulns/uniapi/PYSEC-0000-uniapi.yaml b/vulns/uniapi/PYSEC-0000-uniapi.yaml
@@ -0,0 +1,26 @@
+id: PYSEC-0000-uniapi.yaml
+modified: 2025-01-24T19:56:53Z
+summary: uniapi version 1.0.7 contained an information harvesting script.
+details: |
+  uniapi version 1.0.7 introduces code that would execute
+  on import of the module and download a script from a remote URL,
+  and would then execute the downloaded script in a thread.
+  The downloaded script would harvest system information
+  and `POST` the information to another remote URL.
+  This code was found in the PyPI release artifacts and was not present
+  in the public GitHub repository.
+affected:
+- package:
+    ecosystem: PyPI
+    name: uniapi
+    purl: pkg:pypi/uniapi
+  versions:
+  - 1.0.7
+references:
+- type: EVIDENCE
+  url: https://inspector.pypi.io/project/uniapi/1.0.7/packages/0f/40/c6e06c22bbc22ef45f40bf5a7711763fa08fec4d16b4718d86fd60970131/uniapi-1.0.7.tar.gz/uniapi-1.0.7/uniapi/__init__.py#line.11
+credits:
+- name: Mike Fiedler
+  type: COORDINATOR
+- name: Kamil Mańkowski
+  type: REPORTER
