Deserialization of Untrusted Data in PyDrive2 - CVE-2023-49297
Published: December 13, 2023
Vulnerability identifier: #VU84380
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-49297
CWE-ID: CWE-502
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
PyDrive2
PyDrive2
Software vendor:
Iterative Research Inc.
Iterative Research Inc.
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can trick the victim to load a specially crafted YAML file and execute arbitrary code on the system.
Successful exploitation of the vulnerability requires that PyDrive2 is run in the same directory as the malicious YAML file or if it is loaded in via LoadSettingsFile.
Remediation
Install updates from vendor's website.