CVE-2023-49297: PyDrive2's unsafe YAML deserialization in LoadSettingsFile allows arbitrary code execution
(updated )
Unsafe YAML deserilization will result in arbitrary code execution. A maliciously crafted YAML file can cause arbitrary code execution if PyDrive2 is run in the same directory as it, or if it is loaded in via LoadSettingsFile.
References
- github.com/advisories/GHSA-v5f6-hjmf-9mc5
- github.com/iterative/PyDrive2
- github.com/iterative/PyDrive2/commit/c57355dc2033ad90b7050d681b2c3ba548ff0004
- github.com/iterative/PyDrive2/security/advisories/GHSA-v5f6-hjmf-9mc5
- github.com/pypa/advisory-database/tree/main/vulns/pydrive2/PYSEC-2023-291.yaml
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CYR5SJKOFSSXFV3E3D2SLXBUBA5WMJJG
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K34YWTDKBAYWZPOAKBYDM72WIFL5CAYW
- nvd.nist.gov/vuln/detail/CVE-2023-49297
Detect and mitigate CVE-2023-49297 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →