Arbitrary Code Execution

Affecting knowledge-repo package, versions [,0.8.0)

high severity

Overview

knowledge-repo is focused on facilitating the sharing of knowledge between data scientists and other technical roles using data formats and tools that make sense in these professions.

Affected versions of this package are vulnerable to Arbitrary Code Execution. knowledge-repo read their configuration from the repository itself, by default from a python module called knowledge_repo_config.py. A malicious user with appropriate permissions could submit arbitrary code that will be executed at runtime on users’ machines, potentially leading to unwanted data loss, corruption or dissemination. With this change, only YAML configuration files will be read from the repository, mitigating this security vulnerability.

Remediation

Upgrade knowledge-repo to version 0.8.0 or higher.

References

Do your applications use this vulnerable package?

Credit
Unknown
CWE
CWE-94
Snyk ID
SNYK-PYTHON-KNOWLEDGEREPO-72646
Disclosed
01 Nov, 2018
Published
28 Nov, 2018