conference-scheduler-cli Arbitrary Code Execution · CVE-2018-14572 · GitHub Advisory Database · GitHub

conference-scheduler-cli Arbitrary Code Execution

High severity GitHub Reviewed Published Oct 29, 2018 to the GitHub Advisory Database • Updated Sep 5, 2023

Package

conference-scheduler-cli (pip)

Affected versions

<= 0.10.1

Patched versions

None

Description

In conference-scheduler-cli, a pickle.load call on imported data allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call.

References

Published to the GitHub Advisory Database Oct 29, 2018

Reviewed Jun 16, 2020

Last updated Sep 5, 2023

Severity

High

7.8

/ 10

CVSS base metrics

Attack vector

Local

Attack complexity

Low

Privileges required

None

User interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H