PYSEC-2017-78

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/confire/PYSEC-2017-78.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2017-78

Aliases

Published

2017-11-10T09:29:00Z

Modified

2023-11-08T03:59:13.549390Z

Summary

[none]

Details

An exploitable vulnerability exists in the YAML parsing functionality in config.py in Confire 0.2.0. Due to the user-specific configuration being loaded from "~/.confire.yaml" using the yaml.load function, a YAML parser can execute arbitrary Python commands resulting in command execution. An attacker can insert Python into loaded YAML to trigger this vulnerability.

References

Affected packages

PyPI / confire

Package

Name: confire; View open source insights on deps.dev
Purl: pkg:pypi/confire

Affected ranges

Type: GIT
Repo: https://github.com/bbengfort/confire
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

8cc86a5ec2327e070f1d576d61bbaadf861597ea

Type: ECOSYSTEM
Events: Introduced

0.1.0

Affected versions

0.*

0.1.0

0.1.1

0.2.0