Products
EXPLIoT CloudFuzz

Technical
Advisory

Through sharp, technical and insightful analysis, the Payatu Team is constantly on the lookout for vulnerabilities and threats. This section exhibits a few of our findings.

...
...

Command Injection in GitHub repository Nuitka/Nuitka prior to 0.9.

Vulnerability

Command Injection in GitHub repository Nuitka prior to 0.9.

Description

The main() function uses the eval() function which can lead to contextual code execution, allowing an attacker to gain access to a system and execute commands with the privileges of the running program by setting NUITKA_PYTHONPATH, NUITKA_NAMESPACES, or NUITKA_PTH_IMPORTED to a malicious payload string. This can lead to backdoors, reverse shells or reading/writing to privileged files.

CVE-ID

CVE-2022-2054

Vendor

Nuitka

Product

Nuitka prior to 0.9

Disclosure Timeline

Reported On: 4th June 2022

Made Public On: 5th June 2022

Fixed On:27th June 2022

Credits

Debjeet Banerjee