PT-2018-18428 · Pyeve · Eve

Orangetwo

Publicado

2018-03-14

Atualizado

2018-07-12

CVE-2018-8097

CVSS v3.1

9.8

Crítica

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: Eve (aka pyeve) versions prior to 0.7.5

Description: The issue allows remote attackers to execute arbitrary code via Code Injection in the where parameter. This is related to the io/mongo/parser.py file in Eve.

Recommendations: For versions prior to 0.7.5, update to version 0.7.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the where parameter in the affected API endpoint until the issue is resolved.

Correção

Code Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-94

Identificadores relacionados

CVE-2018-8097

GHSA-8JXQ-75RW-FHJ9

PYSEC-2018-8

Produtos afetados

Eve

PT-2018-18428 · Pyeve · Eve

CVE-2018-8097

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 9