CVE-2019-12761: Code Injection in PyXDG
(updated )
A code injection issue was discovered in PyXDG before 0.26 via crafted Python code in a Category element of a Menu XML document in a .menu file. XDG_CONFIG_DIRS must be set up to trigger xdg.Menu.parse parsing within the directory containing this file. This is due to a lack of sanitization in xdg/Menu.py before an eval call.
References
- gist.github.com/dhondta/b45cd41f4186110a354dc7272916feba
- github.com/advisories/GHSA-r6v3-hpxj-r8rv
- github.com/pypa/advisory-database/tree/main/vulns/pyxdg/PYSEC-2019-199.yaml
- github.com/takluyver/pyxdg
- lists.debian.org/debian-lts-announce/2019/06/msg00006.html
- lists.debian.org/debian-lts-announce/2021/08/msg00003.html
- nvd.nist.gov/vuln/detail/CVE-2019-12761
- snyk.io/vuln/SNYK-PYTHON-PYXDG-174562
Detect and mitigate CVE-2019-12761 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →