CVE-2005-1632: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

May 1, 2022 (updated September 18, 2023)

Cheetah 0.9.15 and 0.9.16 searches the /tmp directory for modules before using the paths in the PYTHONPATH variable, which allows local users to execute arbitrary code via a malicious module in /tmp/.

References

github.com/advisories/GHSA-vxf2-7rc3-pxmx
github.com/cheetahtemplate/cheetah
nvd.nist.gov/vuln/detail/CVE-2005-1632
web.archive.org/web/20050430021153/http://sourceforge.net/mailarchive/forum.php?thread_id=7070332&forum_id=1542

Detect and mitigate CVE-2005-1632 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →