Arbitrary Code Injection Affecting eve package, versions [,0.7.5)


0.0
critical
0
10

Snyk CVSS

    Attack Complexity Low
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    EPSS 3.7% (92nd percentile)
Expand this section
NVD
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-EVE-42079
  • published 15 Mar 2018
  • disclosed 14 Jan 2018
  • credit Orange Tsai

Overview

eve is an open source Python REST API framework.

Affected versions of this package are vulnerable to Arbitrary Code Injection via the where parameter in the io/mongo/parser.py file.

User input generated queries were not fully traversed in the sanitization. Therefore, the blacklist for mongo queries could be bypassed, allowing an attacker to manipulate $where queries to their advantage.