CVE-2021-41078: Nameko Arbitrary code execution due to YAML deserialization
(updated )
Nameko can be tricked to perform arbitrary code execution when deserialising a YAML config file. Example:
References
- github.com/advisories/GHSA-6p52-jr3q-c94g
- github.com/nameko/nameko
- github.com/nameko/nameko/releases/tag/v2.14.0
- github.com/nameko/nameko/releases/tag/v3.0.0-rc10
- github.com/nameko/nameko/security/advisories/GHSA-6p52-jr3q-c94g
- github.com/pypa/advisory-database/tree/main/vulns/nameko/PYSEC-2021-383.yaml
- nvd.nist.gov/vuln/detail/CVE-2021-41078
Detect and mitigate CVE-2021-41078 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →