Lucene search
GoogleOSV:GHSA-CCMQ-QVCP-5MRMHistoryJul 13, 2018 - 4:01 p.m.
Unsafe deserialization in owlmixin
2018-07-1316:01:12
Google
osv.dev
4
0.022 Low
EPSS
Percentile
89.5%
An exploitable vulnerability exists in the YAML loading functionality of util.py in OwlMixin before 2.0.0a12. A “Load YAML” string or file (aka load_yaml or load_yamlf) can execute arbitrary Python commands resulting in command execution because load is used where safe_load should have been used. An attacker can insert Python into loaded YAML to trigger this vulnerability.
References
github.com/advisories/GHSA-ccmq-qvcp-5mrm
github.com/tadashi-aikawa/owlmixin
github.com/tadashi-aikawa/owlmixin/commit/5d0575303f6df869a515ced4285f24ba721e0d4e
github.com/tadashi-aikawa/owlmixin/issues/12
joel-malwarebenchmark.github.io/blog/2017/11/08/cve-2017-16618-convert-through-owlmixin
nvd.nist.gov/vuln/detail/CVE-2017-16618
Related
prion
prion
Design/Logic Flaw
2017-11-08 03:29:00
osv
osv
CVE-2017-16618
2017-11-08 03:29:00
PYSEC-2017-22
2017-11-08 03:29:00
github
github
Unsafe deserialization in owlmixin
2018-07-13 16:01:12
cve
cve
CVE-2017-16618
2017-11-08 03:29:00
veracode
veracode
Arbitrary Code Execution
2017-11-08 09:04:41
nvd
nvd
CVE-2017-16618
2017-11-08 03:29:00
cvelist
cvelist
CVE-2017-16618
2017-11-08 03:00:00