An exploitable vulnerability exists in the YAML parsing functionality in the read_yaml_file
method in io_utils.py
in django_make_app 0.1.3. A YAML parser can execute arbitrary Python commands resulting in command execution. An attacker can insert Python into loaded YAML to trigger this vulnerability.
CPE | Name | Operator | Version |
---|---|---|---|
django-make-app | eq | 0.1.2.1 | |
django-make-app | eq | 0.1.0.1 | |
django-make-app | eq | 0.1.2 | |
django-make-app | eq | 0.1.1 | |
django-make-app | eq | 0.1.0 | |
django-make-app | eq | 0.1.3 |
github.com/illagrenan/django-make-app
github.com/illagrenan/django-make-app/commit/acd814433d1021aa8783362521b0bd151fdfc9d2
github.com/illagrenan/django-make-app/issues/5
joel-malwarebenchmark.github.io/blog/2017/11/12/cve-2017-16764-vulnerability-in-django-make-app
nvd.nist.gov/vuln/detail/CVE-2017-16764