Arbitrary Code Execution Affecting pytest-devpi-server package, versions [,1.1.0)
Snyk CVSS
Attack Complexity
Low
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-PYTESTDEVPISERVER-40159
- published 15 Oct 2017
- disclosed 16 Feb 2016
- credit Unknown
Overview
pytest-devpi-server
is session-scoped by default
and run in a subprocess and temp dir to cleanup when it's done.
Affected versions of this package are vulnerable to Arbitrary Code Execution attacks. It would run subprocess with shell=True, allowing an attacker to insert shell commands in the function.