gauravphoenix
commented
3 years ago Thank you for finding and fixing it, are you planning to publish a CVE for this?
Closed mildebrandt closed 3 years ago
gauravphoenix
commented
3 years ago Thank you for finding and fixing it, are you planning to publish a CVE for this?
mildebrandt
commented
3 years ago Yes, it's CVE-2021-38305
When processing the schema, each line is run through Python's eval function to make the validator available. A well constructed string within the schema rules can execute system commands. This change limits the string to those that begin with the known validators.