CVE-2020-15142

EPSS 0.76%
Veröffentlicht 14.08.2020 17:15:14
Zuletzt bearbeitet 21.11.2024 05:04:56
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

In openapi-python-client before version 0.5.3, clients generated with a maliciously crafted OpenAPI Document can generate arbitrary Python code. Subsequent execution of this malicious client is arbitrary code execution.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Openapi-python-client Project ≫ Openapi-python-client Version < 0.5.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.76%	0.709

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9	2.3	6	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
nvd@nist.gov	6	6.8	6.4	AV:N/AC:M/Au:S/C:P/I:P/A:P
security-advisories@github.com	8	1.3	6	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://github.com/triaxtec/openapi-python-client/blob/main/CHANGELOG.md#053---2020-08-13

Third Party Advisory

Release Notes

https://github.com/triaxtec/openapi-python-client/commit/f7a56aae32cba823a77a84a1f10400799b19c19a

Patch

Third Party Advisory

https://github.com/triaxtec/openapi-python-client/security/advisories/GHSA-9x4c-63pf-525f

Third Party Advisory

https://pypi.org/project/openapi-python-client/

Third Party Advisory

Product

https://nvd.nist.gov/vuln/detail/CVE-2020-15142