Command Injection

2023-10-0909:24:47

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

pydash

command injection

helpers.py

_base_get_object

risky attributes

command injection vulnerability

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

33.4%

JSON

pydash is vulnerable to Command Injection. The vulnerability is due to the _base_get_object function in helpers.py which retrieves the value of a given key from an object. If it doesn’t find a specified key in an object, it tries to access the object’s attributes directly. This allows attackers to access risky attributes, like__init__.__globals__ , that can potentially lead to Command Injection.