{"id":"PYSEC-2020-341","details":"An exploitable vulnerability exists in the configuration-loading functionality of the jw.util package before 2.3 for Python. When loading a configuration with FromString or FromStream with YAML, one can execute arbitrary Python code, resulting in OS command execution, because safe_load is not used.","aliases":["CVE-2020-13388","GHSA-h72c-w3q3-55qq"],"modified":"2023-11-08T04:02:19.226419Z","published":"2020-05-22T17:15:00Z","references":[{"type":"WEB","url":"https://joel-malwarebenchmark.github.io"},{"type":"ARTICLE","url":"https://joel-malwarebenchmark.github.io/blog/2020/04/27/cve-2020-13388-jw-util-vulnerability/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20200528-0002/"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-h72c-w3q3-55qq"}],"affected":[{"package":{"name":"jw-util","ecosystem":"PyPI","purl":"pkg:pypi/jw-util"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.3"}]}],"versions":["-class.-jw.util.version.Version-","1.0a","1.0dev1","1.3.4","1.3.5","1.3.6","1.3.7","1.4","1.4.1","1.4.2","1.5.1","1.5.2","1.5.3","1.5.4","1.5.5","1.5a0","1.5a1","1.5a2","1.5a3","1.5a4","1.5b0","1.6","1.7","1.8","1.9","1.9.1","1.9.2","2","2.0","2.0.1","2.0a0","2.0a1","2.0a2","2.0a3","2.0b0","2.1","2.2"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/jw.util/PYSEC-2020-341.yaml"}}],"schema_version":"1.7.3"}