CVE-2018-14572: conference-scheduler-cli Arbitrary Code Execution
(updated )
In conference-scheduler-cli, a pickle.load call on imported data allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call.
References
- github.com/PyconUK/ConferenceScheduler-cli
- github.com/PyconUK/ConferenceScheduler-cli/issues/19
- github.com/advisories/GHSA-cf3c-fffp-34qh
- github.com/pypa/advisory-database/tree/main/vulns/conference-scheduler-cli/PYSEC-2018-64.yaml
- joel-malwarebenchmark.github.io/blog/2020/04/25/cve-2018-14572-conference-scheduler-cli
- nvd.nist.gov/vuln/detail/CVE-2018-14572
Code Behaviors & Features
Detect and mitigate CVE-2018-14572 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →