漏洞标题
unsafe YAML deserialization in PyDrive2
漏洞描述信息
PyDrive2 是一个 google-api-python-client 的封装库,简化了许多常见的 Google Drive API V2 任务。不安全的 YAML 解析会导致任意代码执行。恶意构造的 YAML 文件如果在与 PyDrive2 相同的目录中运行,或通过 `LoadSettingsFile` 加载,将会导致任意代码执行。这是一种解析攻击,会影响从 this package 中初始化 GoogleAuth 的任何用户,同时存在恶意 YAML 文件。这个漏洞不需要文件直接通过代码加载,只需要存在。这个问题已经在提交 `c57355dc` 中得到解决,它被包含在发布版本 `1.16.2` 中。建议用户升级。对于这个漏洞,目前还没有已知的修复方法。
CVSS信息
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
漏洞类别
可信数据的反序列化
漏洞标题
Unsafe YAML deserialization in PyDrive2
漏洞描述信息
PyDrive2 is a wrapper library of google-api-python-client that simplifies many common Google Drive API V2 tasks. Unsafe YAML deserilization will result in arbitrary code execution. A maliciously crafted YAML file can cause arbitrary code execution if PyDrive2 is run in the same directory as it, or if it is loaded in via `LoadSettingsFile`. This is a deserilization attack that will affect any user who initializes GoogleAuth from this package while a malicious yaml file is present in the same directory. This vulnerability does not require the file to be directly loaded through the code, only present. This issue has been addressed in commit `c57355dc` which is included in release version `1.16.2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS信息
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
漏洞类别
可信数据的反序列化
漏洞标题
PyDrive2 代码问题漏洞
漏洞描述信息
PyDrive2是Iterative开源的一个google-api-python-client的包装库。 PyDrive2 1.17.0、1.16.1及之前版本存在代码问题漏洞,该漏洞源于LoadSettingsFile 中存在不安全的 YAML 反序列化,允许执行任意代码。
CVSS信息
N/A
漏洞类别
代码问题