CVE-2019-17526
Last modified
CVE-2019-17526 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. An issue was discovered in SageMath Sage Cell Server through 2019-10-05. Python Code Injection can occur in the context of an internet facing web application. EPSS estimates a 3.00% chance of exploitation in the next 30 days.
Description
An issue was discovered in SageMath Sage Cell Server through 2019-10-05. Python Code Injection can occur in the context of an internet facing web application. Malicious actors can execute arbitrary commands on the underlying operating system, as demonstrated by an __import__('os').popen('whoami').read() line. NOTE: the vendor's position is that the product is "vulnerable by design" and the current behavior will be retained
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Sagemath | Sagemathcell | All versions |
References
- https://gist.github.com/barrett092/0380a1c34c014e29b827d1f408381525Exploit, Third Party Advisory
- https://sethsec.blogspot.com/2016/11/exploiting-python-code-injection-in-web.htmlExploit, Third Party Advisory
- https://gist.github.com/barrett092/0380a1c34c014e29b827d1f408381525Exploit, Third Party Advisory
- https://sethsec.blogspot.com/2016/11/exploiting-python-code-injection-in-web.htmlExploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-17526?
How severe is CVE-2019-17526?
How do I fix CVE-2019-17526?
Are you affected by CVE-2019-17526?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST