Arbitrary Code Execution

Affecting knowledge-repo package, versions [,0.8.0)

Do your applications use this vulnerable package? Test your applications

Overview

knowledge-repo is focused on facilitating the sharing of knowledge between data scientists and other technical roles using data formats and tools that make sense in these professions.

Affected versions of this package are vulnerable to Arbitrary Code Execution. knowledge-repo read their configuration from the repository itself, by default from a python module called knowledge_repo_config.py. A malicious user with appropriate permissions could submit arbitrary code that will be executed at runtime on users’ machines, potentially leading to unwanted data loss, corruption or dissemination. With this change, only YAML configuration files will be read from the repository, mitigating this security vulnerability.

Remediation

Upgrade knowledge-repo to version 0.8.0 or higher.

References

CVSS Score

7.3
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Credit
Unknown
CWE
CWE-94
Snyk ID
SNYK-PYTHON-KNOWLEDGEREPO-72646
Disclosed
01 Nov, 2018
Published
28 Nov, 2018