Arbitrary Command Execution via YAML Parsing in django_make_app 0.1.3

Arbitrary Command Execution via YAML Parsing in django_make_app 0.1.3

CVE-2017-16764 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

An exploitable vulnerability exists in the YAML parsing functionality in the read_yaml_file method in io_utils.py in django_make_app 0.1.3. A YAML parser can execute arbitrary Python commands resulting in command execution. An attacker can insert Python into loaded YAML to trigger this vulnerability.

Learn more about our Web Application Penetration Testing UK.