Path to dependency file: yugabyte-db/cloud/kubernetes/yb-multiregion-k8s
Path to vulnerable library: yugabyte-db/cloud/kubernetes/yb-multiregion-k8s,yugabyte-db/managed/devops/python3_requirements.txt,yugabyte-db/managed/devops/python_requirements.txt
An exploitable vulnerability exists in the yaml loading functionality of ansible-vault before 1.0.5. A specially crafted vault can execute arbitrary python commands resulting in command execution. An attacker can insert python into the vault to trigger this vulnerability.
CVE-2017-2809 - High Severity Vulnerability
R/W an ansible-vault yaml file
Library home page: https://files.pythonhosted.org/packages/4e/8e/7f7b7d90d0f4745c9c1ee45192997bc7db515b1f8c2abc142ed279b01084/ansible-vault-1.0.4.tar.gz
Path to dependency file: yugabyte-db/cloud/kubernetes/yb-multiregion-k8s
Path to vulnerable library: yugabyte-db/cloud/kubernetes/yb-multiregion-k8s,yugabyte-db/managed/devops/python3_requirements.txt,yugabyte-db/managed/devops/python_requirements.txt
Dependency Hierarchy: - :x: **ansible-vault-1.0.4.tar.gz** (Vulnerable Library)
Found in HEAD commit: d5a0ed9bff63893a5435e09333d22846f6bb3acc
Found in base branch: master
An exploitable vulnerability exists in the yaml loading functionality of ansible-vault before 1.0.5. A specially crafted vault can execute arbitrary python commands resulting in command execution. An attacker can insert python into the vault to trigger this vulnerability.
Publish Date: 2017-09-14
URL: CVE-2017-2809
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2809
Release Date: 2017-09-14
Fix Resolution: 1.0.5