2 matches found
tribe (>=1.2.0 <=1.3.0) potentially affected by CVE-2017-16763 via confire (=0.2.0)
confire PYPI version =0.2.0 is affected by a known vulnerability. The following packages have a transitive dependency on confire and may be impacted: - tribe =1.2.0, =1.3.0 Source cves: CVE-2017-16763 Source advisory: OSV:GHSA-M85C-9MF8-M2M6...
CVE-2017-16763
The CVE-2017-16763 entry covers Confire 0.2.0: YAML parsing in config.py loads user config from ~/.confire.yaml using yaml.load, enabling arbitrary Python execution and command execution on the host. This is a YAML deserialization issue that can be triggered by injected YAML. The connected docume...