Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
NA

CVE-2023-49297

Published: 05/12/2023 Updated: 16/12/2023
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8
VMScore: 0
Subscribe to Iterative

Vulnerability Summary

PyDrive2 is a wrapper library of google-api-python-client that simplifies many common Google Drive API V2 tasks. Unsafe YAML deserilization will result in arbitrary code execution. A maliciously crafted YAML file can cause arbitrary code execution if PyDrive2 is run in the same directory as it, or if it is loaded in via `LoadSettingsFile`. This is a deserilization attack that will affect any user who initializes GoogleAuth from this package while a malicious yaml file is present in the same directory. This vulnerability does not require the file to be directly loaded through the code, only present. This issue has been addressed in commit `c57355dc` which is included in release version `1.16.2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Vulnerable Product Search on Vulmon Subscribe to Product

iterative pydrive2

iterative pydrive2 1.17.0

Vendor Advisories

Debian CVElist Bug Report Logs: pydrive2: CVE-2023-49297
Debian Bug report logs - #1057647 pydrive2: CVE-2023-49297 Package: src:pydrive2; Maintainer for src:pydrive2 is Debian Python Team <team+python@trackerdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 6 Dec 2023 13:51:02 UTC Severity: important Tags: security, upstream Found in version ...

References

CWE-502https://github.com/iterative/PyDrive2/security/advisories/GHSA-v5f6-hjmf-9mc5https://github.com/iterative/PyDrive2/commit/c57355dc2033ad90b7050d681b2c3ba548ff0004https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CYR5SJKOFSSXFV3E3D2SLXBUBA5WMJJG/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K34YWTDKBAYWZPOAKBYDM72WIFL5CAYW/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057647https://nvd.nist.gov
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
NULL pointer dereferenceCVE-2023-52689CVE-2024-23803client sideCVE-2023-52696information disclosureCVE-2024-35843CVE-2024-27130CVE-2023-52697
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook