Vulnerability Details CVE-2018-14572
In conference-scheduler-cli, a pickle.load call on imported data allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.008
EPSS Ranking 73.8%
CVSS Severity
CVSS v3 Score 7.8
CVSS v2 Score 6.8
References
- https://github.com/PyconUK/ConferenceScheduler-cli/issues/19
- https://joel-malwarebenchmark.github.io/blog/2020/04/25/cve-2018-14572-conference-scheduler-cli/
- https://github.com/PyconUK/ConferenceScheduler-cli/issues/19
- https://joel-malwarebenchmark.github.io/blog/2020/04/25/cve-2018-14572-conference-scheduler-cli/
Products affected by CVE-2018-14572
-
cpe:2.3:a:pyconuk:conference-scheduler-cli:0.1.0
-
cpe:2.3:a:pyconuk:conference-scheduler-cli:0.10.0
-
cpe:2.3:a:pyconuk:conference-scheduler-cli:0.10.1
-
cpe:2.3:a:pyconuk:conference-scheduler-cli:0.2.0
-
cpe:2.3:a:pyconuk:conference-scheduler-cli:0.3.0
-
cpe:2.3:a:pyconuk:conference-scheduler-cli:0.3.1
-
cpe:2.3:a:pyconuk:conference-scheduler-cli:0.4.0
-
cpe:2.3:a:pyconuk:conference-scheduler-cli:0.4.1
-
cpe:2.3:a:pyconuk:conference-scheduler-cli:0.5.0
-
cpe:2.3:a:pyconuk:conference-scheduler-cli:0.6.0
-
cpe:2.3:a:pyconuk:conference-scheduler-cli:0.7.0
-
cpe:2.3:a:pyconuk:conference-scheduler-cli:0.7.1
-
cpe:2.3:a:pyconuk:conference-scheduler-cli:0.7.2
-
cpe:2.3:a:pyconuk:conference-scheduler-cli:0.8.0
-
cpe:2.3:a:pyconuk:conference-scheduler-cli:0.8.1
-
cpe:2.3:a:pyconuk:conference-scheduler-cli:0.8.2
-
cpe:2.3:a:pyconuk:conference-scheduler-cli:0.8.3
-
cpe:2.3:a:pyconuk:conference-scheduler-cli:0.8.4
-
cpe:2.3:a:pyconuk:conference-scheduler-cli:0.9.0
-
cpe:2.3:a:pyconuk:conference-scheduler-cli:0.9.1