Unrestricted Upload of File with Dangerous Type Affecting greykite package, versions [0,]
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-GREYKITE-6457150
- published 19 Mar 2024
- disclosed 18 Mar 2024
- credit bayuncao
Introduced: 18 Mar 2024
CVE-2024-28425 Open this link in a new tabHow to fix?
There is no fixed version for greykite.
Overview
greykite is an A python package for flexible forecasting
Affected versions of this package are vulnerable to Unrestricted Upload of File with Dangerous Type via the load_obj function at /templates/pickle_utils.py due to improper user input sanitization. Based on library usage, which is aimed at developers for forecasting purposes, exploiting this vulnerability is possible if the attacker tricks the developer (through social engineering, etc.) into deserializing a crafted malicious file. In other cases, it's exploitable if the library is used in applications that might handle user-generated content without proper validation, and the attacker can control the dir_name parameter of the load_obj function.
Exploiting this vulnerability might result in code execution.