CVE-2017-16764

{"id": "CVE-2017-16764", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2017-11-10T09:29:00.410", "references": [{"url": "https://github.com/illagrenan/django-make-app/issues/5", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://joel-malwarebenchmark.github.io/blog/2017/11/12/cve-2017-16764-vulnerability-in-django-make-app/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "An exploitable vulnerability exists in the YAML parsing functionality in the read_yaml_file method in io_utils.py in django_make_app 0.1.3. A YAML parser can execute arbitrary Python commands resulting in command execution. An attacker can insert Python into loaded YAML to trigger this vulnerability."}, {"lang": "es", "value": "Existe una vulnerabilidad explotable en la funcionalidad de an\u00e1lisis sint\u00e1ctico de YAML en el m\u00e9todo read_yaml_file en io_utils.py en django_make_app 0.1.3. Un analizador sint\u00e1ctico YAML puede ejecutar comandos python arbitrarios, lo que resulta en la ejecuci\u00f3n de comandos. Un atacante puede insertar c\u00f3digo python en el YAML cargado para provocar esta vulnerabilidad."}], "lastModified": "2019-12-11T15:03:48.683", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:django_make_app_project:django_make_app:0.1.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6A0E3904-6C2C-40FA-930D-9794D3784334"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}