Arbitrary Code Injection Affecting henosis package, versions [,0.0.11)
Snyk CVSS
Attack Complexity
High
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-HENOSIS-42166
- published 2 Aug 2018
- disclosed 2 Jul 2018
- credit Unknown
How to fix?
Upgrade henosis
to version 0.0.11 or higher.
Overview
henosis is a Python framework for deploying recommendation models for form fields.
Affected versions of this package are vulnerable to Arbitrary Code Execution via the yaml.load
function. It used the unsafe yaml.load()
method to load the yaml file that it ultimately encrypts. If that yaml file contains a carefully coded python directive, the yaml.load()
method will enable arbitrary commands to be executed.