Arbitrary Command Injection Affecting nuitka package, versions [0,0.9)
Snyk CVSS
Attack Complexity
Low
Confidentiality
High
Integrity
High
Availability
High
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.05% (17th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-NUITKA-2869126
- published 13 Jun 2022
- disclosed 13 Jun 2022
- credit whokilleddb
Introduced: 13 Jun 2022
CVE-2022-2054 Open this link in a new tabHow to fix?
Upgrade Nuitka
to version 0.9 or higher.
Overview
Nuitka is a Python compiler with full language support and CPython compatibility
Affected versions of this package are vulnerable to Arbitrary Command Injection due to insecure usage of the eval()
method in the main()
function.
Exploiting this vulnerability is possible by replacing one of these environment variables - NUITKA_PYTHONPATH
, NUITKA_NAMESPACES
or NUITKA_PTH_IMPORTED
to a malicious payload string.