Main Vulnerability Database Vulnerabilities #VU36170

Code Injection in rdflib - CVE-2019-7653

Published: February 9, 2019 / Updated: August 8, 2020

Vulnerability identifier: #VU36170

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2019-7653

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: ropensci

Affected software:
rdflib

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The Debian python-rdflib-tools 4.2.2-1 package for RDFLib 4.2.2 has CLI tools that can load Python modules from the current working directory, allowing code injection, because "python -m" looks in this directory, as demonstrated by rdf2dot. This issue is specific to use of the debian/scripts directory.

How to mitigate CVE-2019-7653

Install update from vendor's website.

Sources

https://bugs.debian.org/921751
https://lists.debian.org/debian-lts-announce/2019/03/msg00019.html

Code Injection in rdflib - CVE-2019-7653

Detailed vulnerability description

How to mitigate CVE-2019-7653

Sources

Please verify you're human