Arbitrary Code Injection Affecting eve package, versions [,0.7.5)


Severity

Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    3.85% (92nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-EVE-42079
  • published 15 Mar 2018
  • disclosed 14 Jan 2018
  • credit Orange Tsai

Overview

eve is an open source Python REST API framework.

Affected versions of this package are vulnerable to Arbitrary Code Injection via the where parameter in the io/mongo/parser.py file.

User input generated queries were not fully traversed in the sanitization. Therefore, the blacklist for mongo queries could be bypassed, allowing an attacker to manipulate $where queries to their advantage.

CVSS Scores

version 3.1
Expand this section

Snyk

9.8 critical
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High
Expand this section

NVD

9.8 critical