Command execution through python/object/apply constructor in FullLoader in PyYaml #92
Closed
3 tasks done
Labels
talk-proposal
New talk of Python Pune meetup
Comments
|
Hello @darunesh-RH, this is indeed an unique and interesting talk. This has been scheduled here, https://www.meetup.com/PythonPune/events/270019437/ . |
|
Hey @darunesh-RH can you please share your slides? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Title of the talk
Exploiting and understanding CVE-2019-20477.
Description
PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2019-20477
Duration (including Q&A)
30-45 mins
Prerequisites
What is CVE and vulnerability?
Checklist
The talk/workshop speaker agrees to,
The text was updated successfully, but these errors were encountered: