Unsafe deserialization in owlmixin
Critical severity
GitHub Reviewed
Published
Jul 13, 2018
to the GitHub Advisory Database
•
Updated Sep 5, 2023
Description
Published to the GitHub Advisory Database
Jul 13, 2018
Reviewed
Jun 16, 2020
Last updated
Sep 5, 2023
An exploitable vulnerability exists in the YAML loading functionality of util.py in OwlMixin before 2.0.0a12. A "Load YAML" string or file (aka load_yaml or load_yamlf) can execute arbitrary Python commands resulting in command execution because load is used where safe_load should have been used. An attacker can insert Python into loaded YAML to trigger this vulnerability.
References