CVE-2014-3539: Code injection in rope

July 26, 2018 (updated October 21, 2024)

base/oi/doa.py in the Rope library in CPython (aka Python) allows remote attackers to execute arbitrary code by leveraging an unsafe call to pickle.load.

References

bugzilla.redhat.com/show_bug.cgi?id=1116485
github.com/advisories/GHSA-r38r-qp28-2m63
github.com/pypa/advisory-database/tree/main/vulns/rope/PYSEC-2018-100.yaml
github.com/python-rope/rope
github.com/python-rope/rope/commit/b01da7aab5cd02129941d2a900e6e5e3b5f7d4fb
nvd.nist.gov/vuln/detail/CVE-2014-3539

Code Behaviors & Features

Detect and mitigate CVE-2014-3539 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →