Safety vulnerability ID: 62689
The information on this page was manually curated by our Cybersecurity Intelligence Team.
PyDrive2, a Python wrapper for Google Drive API V2, has a vulnerability (CVE-2023-49297) due to unsafe YAML deserialization, which could lead to arbitrary code execution from a malicious YAML file in the same directory or loaded via LoadSettingsFile. The issue was fixed in release version 1.16.2 (commit c57355dc). Users should update to this version or later.
https://github.com/iterative/PyDrive2/commit/c57355dc2033ad90b7050d681b2c3ba548ff0004
Latest version: 1.21.3
Google Drive API made easy. Maintained fork of PyDrive.
PyDrive2 is a wrapper library of google-api-python-client that simplifies many common Google Drive API V2 tasks. Unsafe YAML deserilization will result in arbitrary code execution. A maliciously crafted YAML file can cause arbitrary code execution if PyDrive2 is run in the same directory as it, or if it is loaded in via `LoadSettingsFile`. This is a deserilization attack that will affect any user who initializes GoogleAuth from this package while a malicious yaml file is present in the same directory. This vulnerability does not require the file to be directly loaded through the code, only present. This issue has been addressed in commit `c57355dc` which is included in release version `1.16.2`. Users are advised to upgrade. There are no known workarounds for this vulnerability. See CVE-2023-49297.
MISC:https://github.com/iterative/PyDrive2/commit/c57355dc2033ad90b7050d681b2c3ba548ff0004: https://github.com/iterative/PyDrive2/commit/c57355dc2033ad90b7050d681b2c3ba548ff0004
MISC:https://github.com/iterative/PyDrive2/security/advisories/GHSA-v5f6-hjmf-9mc5: https://github.com/iterative/PyDrive2/security/advisories/GHSA-v5f6-hjmf-9mc5
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application