Lucene search

GitHub Advisory DatabaseGHSA-W9CP-3X79-2P8P

HistoryNov 02, 2023 - 6:30 a.m.

transmute-core unsafe YAML deserialization vulnerability

2023-11-0206:30:25

CWE-502

GitHub Advisory Database

github.com

yaml deserialization

transmute-core

vulnerability

python code execution

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.9

Confidence

High

EPSS

0.001

Percentile

31.1%

JSON

Unsafe YAML deserialization in yaml.Loader in transmute-core before 1.13.5 allows attackers to execute arbitrary Python code.

Affected configurations

Vulners

Node

toumorokoshitransmute-coreRange0–1.13.5

VendorProductVersionCPE
toumorokoshitransmute-core*cpe:2.3:a:toumorokoshi:transmute-core:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
toumorokoshi	transmute-core	*	cpe:2.3:a:toumorokoshi:transmute-core::::::::

References

github.com/advisories/GHSA-w9cp-3x79-2p8p

github.com/pypa/advisory-database/tree/main/vulns/transmute-core/PYSEC-2023-223.yaml

github.com/toumorokoshi/transmute-core/commit/29bf82eb8ed9926d31eec90aec482ecc0dcb23f0

github.com/toumorokoshi/transmute-core/pull/58

github.com/toumorokoshi/transmute-core/releases/tag/v1.13.5

nvd.nist.gov/vuln/detail/CVE-2023-47204

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.9

Confidence

High

EPSS

0.001

Percentile

31.1%

JSON

Related for GHSA-W9CP-3X79-2P8P