Lucene search

Veracode Vulnerability DatabaseVERACODE:44590

HistoryDec 07, 2023 - 7:23 a.m.

Deserialization Of Untrusted Data

2023-12-0707:23:47

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

pydrive2

vulnerability

loadsettingsfile

settings.py

yaml

code execution

software

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7.5

Confidence

High

EPSS

0.001

Percentile

28.5%

JSON

pydrive2 is vulnerable to Deserialization Of Untrusted Data. The vulnerability exists in LoadSettingsFile function at settings.py which can result in the loading of arbitrary YAML files, resulting in arbitrary code execution.

References

github.com/advisories/GHSA-v5f6-hjmf-9mc5

github.com/iterative/PyDrive2/commit/c57355dc2033ad90b7050d681b2c3ba548ff0004

github.com/iterative/PyDrive2/security/advisories/GHSA-v5f6-hjmf-9mc5

lists.fedoraproject.org/archives/list/[email protected]/message/CYR5SJKOFSSXFV3E3D2SLXBUBA5WMJJG/

lists.fedoraproject.org/archives/list/[email protected]/message/K34YWTDKBAYWZPOAKBYDM72WIFL5CAYW/

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7.5

Confidence

High

EPSS

0.001

Percentile

28.5%

JSON

Related for VERACODE:44590