Python Package: MLAlchemy
Version: Before 0.2.2
Published: Nov. 7th. 2017
Reported by: Joel
An issue was discovered in the
MLAlchemy package before
0.2.2.Untrusted data passed into the
parse_yaml_query() function can execute arbitrary python commands resulting in command execution.
The updated versions of
MLAlchemy (0.2.2) correctly use the
yaml.safe_load method which prevents remote code execution.