{"id":"GHSA-x23q-4j9j-9cxw","summary":"Ops CLI Deserialization of Untrusted Data vulnerability","details":"Ops CLI version 2.0.4 (and earlier) is affected by a Deserialization of Untrusted Data vulnerability to achieve arbitrary code execution when the `checkout_repo` function is called on a maliciously crafted file. An attacker can leverage this to execute arbitrary code on the victim machine.","aliases":["CVE-2021-40720","PYSEC-2021-380"],"modified":"2024-10-07T21:35:56.366759Z","published":"2022-05-24T19:17:41Z","database_specific":{"github_reviewed":true,"github_reviewed_at":"2024-04-29T14:27:44Z","nvd_published_at":"2021-10-15T15:15:00Z","severity":"CRITICAL","cwe_ids":["CWE-502"]},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-40720"},{"type":"PACKAGE","url":"https://github.com/adobe/ops-cli"},{"type":"WEB","url":"https://github.com/pypa/advisory-database/tree/main/vulns/ops-cli/PYSEC-2021-380.yaml"},{"type":"WEB","url":"https://helpx.adobe.com/security/products/ops_cli/apsb21-88.html"}],"affected":[{"package":{"name":"ops-cli","ecosystem":"PyPI","purl":"pkg:pypi/ops-cli"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.0.5"}]}],"versions":["1.10.0","1.10.1","1.11.0","1.11.1","1.11.10","1.11.11","1.11.12","1.11.2","1.11.3","1.11.4","1.11.5","1.11.6","1.11.7","1.11.8","1.11.9","1.12.1","1.12.2","2.0.3","2.0.4"],"database_specific":{"last_known_affected_version_range":"\u003c= 2.0.4","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-x23q-4j9j-9cxw/GHSA-x23q-4j9j-9cxw.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}