Vulnerability
Command Injection in GitHub repository Nuitka prior to 0.9.
Description
The main()
function uses the eval()
function which can lead to contextual code execution, allowing an attacker to gain access to a system and execute commands with the privileges of the running program by setting NUITKA_PYTHONPATH
, NUITKA_NAMESPACES
, or NUITKA_PTH_IMPORTED
to a malicious payload string. This can lead to backdoors, reverse shells or reading/writing to privileged files.
CVE-ID
CVE-2022-2054
Vendor
Nuitka
Product
Nuitka prior to 0.9
Disclosure Timeline
Reported On: 4th June 2022
Made Public On: 5th June 2022
Fixed On:27th June 2022
Credits
Debjeet Banerjee