Lucene search
Veracode Vulnerability DatabaseVERACODE:5406HistoryNov 10, 2017 - 11:51 p.m.
Remote Code Execution (RCE)
2017-11-1023:51:26
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
2
0.022 Low
EPSS
Percentile
89.5%
confire is vulnerable to remote code execution attacks. The attacks can happen because the config.py file allows users to parse their configuration from the /.confire.yaml through the yaml.load() function of the YAML parser, allowing attackers to inject and execute arbitrary python commands.
References
github.com/bbengfort/confire/blob/1af143389a3d98e5915767a79d24d4e08dd4f454/confire/config.py#L113
github.com/bbengfort/confire/commit/54bd70c49a5a051f42a60f47ff7dbff5843e60f4
github.com/bbengfort/confire/commit/8cc86a5ec2327e070f1d576d61bbaadf861597ea
github.com/bbengfort/confire/issues/24
joel-malwarebenchmark.github.io/blog/2017/11/12/cve-2017-16763-configure-loaded-through-confire/
Related
osv
osv
PYSEC-2017-78
2017-11-10 09:29:00
CVE-2017-16763
2017-11-10 09:29:00
Unsafe deserialization in confire
2018-07-18 18:28:26
nvd
nvd
CVE-2017-16763
2017-11-10 09:29:00
cve
cve
CVE-2017-16763
2017-11-10 09:29:00
prion
prion
Input validation
2017-11-10 09:29:00
cvelist
cvelist
CVE-2017-16763
2017-11-10 09:00:00
github
github
Unsafe deserialization in confire
2018-07-18 18:28:26