Arbitrary Code Execution
Affecting knowledge-repo package, versions [,0.8.0)
knowledge-repo is focused on facilitating the sharing of knowledge between data scientists and other technical roles using data formats and tools that make sense in these professions.
Affected versions of this package are vulnerable to Arbitrary Code Execution.
knowledge-repo read their configuration from the repository itself, by default from a python module called
knowledge_repo_config.py. A malicious user with appropriate permissions could submit arbitrary code that will be executed at runtime on users’ machines, potentially leading to unwanted data loss, corruption or dissemination. With this change, only YAML configuration files will be read from the repository, mitigating this security vulnerability.
knowledge-repo to version 0.8.0 or higher.
Do your applications use this vulnerable package?
- Snyk ID
- 01 Nov, 2018
- 28 Nov, 2018