Опубликовано: 29 окт. 2018
Источник: github
Github: Прошло ревью
CVSS4: 8.5
CVSS3: 7.8
Описание
conference-scheduler-cli Arbitrary Code Execution
In conference-scheduler-cli, a pickle.load call on imported data allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2018-14572
- https://github.com/PyconUK/ConferenceScheduler-cli/issues/19
- https://github.com/advisories/GHSA-cf3c-fffp-34qh
- https://github.com/pypa/advisory-database/tree/main/vulns/conference-scheduler-cli/PYSEC-2018-64.yaml
- https://joel-malwarebenchmark.github.io/blog/2020/04/25/cve-2018-14572-conference-scheduler-cli
Пакеты
Наименование
conference-scheduler-cli
pip
Затронутые версииВерсия исправления
<= 0.10.1
Отсутствует
Связанные уязвимости
CVSS3: 7.8
nvd
больше 7 лет назад
In conference-scheduler-cli, a pickle.load call on imported data allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call.