<p>Upgrade <code>henosis</code> to version 0.0.11 or higher.</p>

Arbitrary Code Injection Affecting henosis package, versions [,0.0.11)

Snyk CVSS

Attack Complexity High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-PYTHON-HENOSIS-42166
published 2 Aug 2018
disclosed 2 Jul 2018
credit Unknown

Report a new vulnerability Found a mistake?

Introduced: 2 Jul 2018

CWE-94 Open this link in a new tab

How to fix?

Upgrade henosis to version 0.0.11 or higher.

Overview

henosis is a Python framework for deploying recommendation models for form fields.

Affected versions of this package are vulnerable to Arbitrary Code Execution via the yaml.load function. It used the unsafe yaml.load() method to load the yaml file that it ultimately encrypts. If that yaml file contains a carefully coded python directive, the yaml.load() method will enable arbitrary commands to be executed.

References

GitHub Issue