CVE-2019-17526

Name of the Vulnerable Software and Affected Versions SageMath Sage Cell Server versions prior to 2019-10-05

Description An issue in SageMath Sage Cell Server allows Python Code Injection, enabling malicious actors to execute arbitrary commands on the underlying operating system. This can be achieved through an internet-facing web application. For example, using the import ('os').popen('whoami').read() line, attackers can execute system commands. The vendor acknowledges this behavior as "vulnerable by design" and intends to retain it.

Recommendations For versions prior to 2019-10-05, consider restricting access to the Sage Cell Server to minimize the risk of exploitation, as the vendor does not plan to change the current behavior. At the moment, there is no information about a newer version that contains a fix for this issue.