Loaded Databook of Tablib prone to python insertion resulting in command execution
Critical severity
GitHub Reviewed
Published
Jul 13, 2018
to the GitHub Advisory Database
•
Updated Oct 27, 2024
Description
Published by the National Vulnerability Database
Jun 14, 2017
Published to the GitHub Advisory Database
Jul 13, 2018
Reviewed
Jun 16, 2020
Last updated
Oct 27, 2024
An exploitable vulnerability exists in the Databook loading functionality of Tablib 0.11.4. A yaml loaded Databook can execute arbitrary python commands resulting in command execution. An attacker can insert python into loaded yaml to trigger this vulnerability.
References