CVE-2017-2810

Impact:
Low
Public Date:
2017-06-13
CWE:
CWE-502
Bugzilla:
1461297: CVE-2017-2810 python-tablib: Databook loading functionality allows command execution
It was found that loading a yaml format Databook from an untrusted source could lead to arbitrary code execution in python-tablib as the safe_load method was not used to load the content.

Find out more about CVE-2017-2810 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

Red Hat Product Security has rated this issue as having Low security impact in Red Hat OpenStack Platform. While the code is present in the python-tablib package, it is not reachable in any supported configuration. There is currently no plan to address this flaw in any supported version of Red Hat OpenStack platform.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 7.5
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity Impact High
Availability Impact High

Affected Packages State

Platform Package State
Red Hat OpenStack Platform 9.0 python-tablib Will not fix
Red Hat OpenStack Platform 8.0 (Liberty) python-tablib Will not fix
Red Hat OpenStack Platform 12.0 python-tablib Not affected
Red Hat OpenStack Platform 11.0 (Ocata) python-tablib Will not fix
Red Hat OpenStack Platform 10 python-tablib Will not fix

External References

Last Modified
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.