PT-2017-14546 · Django · Django Make App

Joel

Publicado

2017-11-10

Atualizado

2019-12-11

CVE-2017-16764

CVSS v3.1

9.8

Crítica

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions django make app version 0.1.3

Description The issue concerns the YAML parsing functionality in the read yaml file method within io utils.py. This allows a YAML parser to execute arbitrary Python commands, resulting in command execution. An attacker can exploit this by inserting Python code into loaded YAML files.

Recommendations For django make app version 0.1.3, consider disabling the read yaml file method in io utils.py until a patch is available to prevent the execution of arbitrary Python commands. Restrict the loading of YAML files to trusted sources to minimize the risk of exploitation.

Exploit

Correção

Code Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-94

Identificadores relacionados

CVE-2017-16764

GHSA-9PV8-Q5RX-C8GQ

PYSEC-2017-79

Produtos afetados

Django Make App

PT-2017-14546 · Django · Django Make App

CVE-2017-16764

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 10