Python Package: jw.util
Version: <= 2.3
Reported by: Joel
An exploitable vulnerability exists in the configuration loading functionality of
jw.util before 2.3. Configuration is a module for handling configurations from a YAML source and a class for simplifying access to a configuration tree. Load configuration from stream with YAML can execute arbitrary python commands resulting in command execution. An attacker can insert python into loaded yaml to trigger this vulnerability.
1 2 3
It should use
yaml.safe_load to parse yaml file.