An exploitable vulnerability exists in the configuration-loading functionality of the jw.util package before 2.3 for Python. When loading a configuration with FromString or FromStream with YAML, one can execute arbitrary Python code, resulting in OS command execution, because safe_load is not used.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| jw.util(PyPI) | 0 | 2.3 | N/A |
CVSS Metrics
