Vulnerability Description
An exploitable vulnerability exists in the configuration-loading functionality of the jw.util package before 2.3 for Python. When loading a configuration with FromString or FromStream with YAML, one can execute arbitrary Python code, resulting in OS command execution, because safe_load is not used.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Python | Jw.Util | < 2.3 |
Related Weaknesses (CWE)
References
- https://joel-malwarebenchmark.github.ioExploitThird Party Advisory
- https://joel-malwarebenchmark.github.io/blog/2020/04/27/cve-2020-13388-jw-util-vExploitThird Party Advisory
- https://security.netapp.com/advisory/ntap-20200528-0002/Third Party Advisory
- https://joel-malwarebenchmark.github.ioExploitThird Party Advisory
- https://joel-malwarebenchmark.github.io/blog/2020/04/27/cve-2020-13388-jw-util-vExploitThird Party Advisory
- https://security.netapp.com/advisory/ntap-20200528-0002/Third Party Advisory
FAQ
What is CVE-2020-13388?
CVE-2020-13388 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An exploitable vulnerability exists in the configuration-loading functionality of the jw.util package before 2.3 for Python. When loading a configuration with FromString or FromStream with YAML, one c...
How severe is CVE-2020-13388?
CVE-2020-13388 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2020-13388?
Check the references section above for vendor advisories and patch information. Affected products include: Python Jw.Util.