CVE-2018-8097: Eve allows execution of arbitrary code

July 12, 2018 (updated September 20, 2024)

io/mongo/parser.py in Eve (aka pyeve) before 0.7.5 allows remote attackers to execute arbitrary code via Code Injection in the where parameter.

References

github.com/advisories/GHSA-8jxq-75rw-fhj9
github.com/pyeve/eve
github.com/pyeve/eve/commit/f8f7019ffdf9b4e05faf95e1f04e204aa4c91f98
github.com/pyeve/eve/issues/1101
github.com/pypa/advisory-database/tree/main/vulns/eve/PYSEC-2018-8.yaml
nvd.nist.gov/vuln/detail/CVE-2018-8097

Detect and mitigate CVE-2018-8097 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →