CVE-2019-7537

CRITICAL

Donfig 0.3.0 - Remote Code Execution via collect_yaml Method

Title source: llm

Description

An issue was discovered in Donfig 0.3.0. There is a vulnerability in the collect_yaml method in config_obj.py. It can execute arbitrary Python commands, resulting in command execution.

References (2)

Core 2

Core References

Exploit, Issue Tracking, Third Party Advisory x_refsource_misc

https://github.com/pytroll/donfig/issues/5

Release Notes, Third Party Advisory x_refsource_misc

https://github.com/pytroll/donfig/commits/master

View Writeup ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0344

EPSS Percentile 87.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-77

Status published

Products (2)

pypi/donfig 0 - 0.4.0PyPI

pytroll/donfig 0.3.0

Published Mar 21, 2019

Tracked Since Feb 18, 2026