CVE-2021-21371 – tenable-jira-cloud

Package

Manager: pip
Name: tenable-jira-cloud
Vulnerable Version: >=0 <1.1.21

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00079 pctl0.24096

Details

Execution of untrusted code through config file ### Impact It is possible to run arbitrary commands through the yaml.load() method. This could allow an attacker with local access to the host to run arbitrary code by running the application with a specially crafted YAML configuration file. ### Workarounds Manually adjust yaml.load() to yaml.safe_load() ### For more information If you have any questions or comments about this advisory: * Open an issue in [tenable/integration-jira-cloud](https://github.com/tenable/integration-jira-cloud/issues) * Email us at [vulnreport@tenable.com](mailto:vulnreport@tenable.com)

Metadata

Created: 2021-03-10T21:51:17Z
Modified: 2024-10-27T15:38:08Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-8278-88vv-x98r/GHSA-8278-88vv-x98r.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-8278-88vv-x98r
Finding: F096
Auto approve: 1