PYSEC-2020-341

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/jw.util/PYSEC-2020-341.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2020-341

Aliases

CVE-2020-13388
GHSA-h72c-w3q3-55qq

Published

2020-05-22T17:15:00Z

Modified

2023-11-08T04:02:19.226419Z

Summary

[none]

Details

An exploitable vulnerability exists in the configuration-loading functionality of the jw.util package before 2.3 for Python. When loading a configuration with FromString or FromStream with YAML, one can execute arbitrary Python code, resulting in OS command execution, because safe_load is not used.

References

Affected packages

PyPI / jw-util

Package

Name: jw-util; View open source insights on deps.dev
Purl: pkg:pypi/jw-util

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.3

Affected versions

-class.*

-class.-jw.util.version.Version-

1.*

1.0dev1

1.0a

1.3.4

1.3.5

1.3.6

1.3.7

1.4

1.4.1

1.4.2

1.5a0

1.5a1

1.5a2

1.5a3

1.5a4

1.5b0

1.5.1

1.5.2

1.5.3

1.5.4

1.5.5

1.6

1.7

1.8

1.9

1.9.1

1.9.2

2.*

2.0a0

2.0a1

2.0a2

2.0a3

2.0b0

2.0

2.0.1

2.1

2.2

Other

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/jw.util/PYSEC-2020-341.yaml"