Critical severity9.8NVD Advisory· Published Nov 10, 2017· Updated May 13, 2026
CVE-2017-16763
CVE-2017-16763
Description
An exploitable vulnerability exists in the YAML parsing functionality in config.py in Confire 0.2.0. Due to the user-specific configuration being loaded from "~/.confire.yaml" using the yaml.load function, a YAML parser can execute arbitrary Python commands resulting in command execution. An attacker can insert Python into loaded YAML to trigger this vulnerability.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
confirePyPI | <= 0.2.0 | — |
Affected products
1- cpe:2.3:a:confire_project:confire:0.2.0:*:*:*:*:*:*:*
Patches
18cc86a5ec232use safe load instead of load
6 files changed · +49 −9
confire/config.py+1 −1 modified@@ -143,7 +143,7 @@ def load(klass): for path in klass.CONF_PATHS: if os.path.exists(path): with open(path, 'r') as conf: - config.configure(yaml.load(conf)) + config.configure(yaml.safe_load(conf)) return config def configure(self, conf={}):
tests/test_conf.py+2 −2 modified@@ -1,4 +1,4 @@ -# tests.conf_tests +# tests.test_conf # Testing the configuration module for Confire # # Author: Benjamin Bengfort <benjamin@bengfort.com> @@ -7,7 +7,7 @@ # Copyright (C) 2014 Bengfort.com # For license information, see LICENSE.txt # -# ID: conf_tests.py [] benjamin@bengfort.com $ +# ID: test_conf.py [] benjamin@bengfort.com $ """ Testing the configuration module for Confire
tests/test_descriptors.py+2 −2 modified@@ -1,4 +1,4 @@ -# tests.descriptors_tests +# tests.test_descriptors # Implements a base SettingsDescriptor for advanced configurations # # Author: Benjamin Bengfort <benjamin@bengfort.com> @@ -7,7 +7,7 @@ # Copyright (C) 2015 Bengfort.com # For license information, see LICENSE.txt # -# ID: descriptors_tests.py [] benjamin@bengfort.com $ +# ID: test_descriptors.py [] benjamin@bengfort.com $ """ Implements a base SettingsDescriptor for advanced configurations
tests/test_environ.py+2 −2 modified@@ -1,4 +1,4 @@ -# tests.environ_tests +# tests.test_environ # Tests the environment configuration ability # # Author: Benjamin Bengfort <benjamin@bengfort.com> @@ -7,7 +7,7 @@ # Copyright (C) 2014 Bengfort.com # For license information, see LICENSE.txt # -# ID: environ_tests.py [] benjamin@bengfort.com $ +# ID: test_environ.py [] benjamin@bengfort.com $ """ Tests the environment configuration ability
tests/test_paths.py+2 −2 modified@@ -1,4 +1,4 @@ -# tests.paths_tests +# tests.test_paths # Testing the paths descriptor # # Author: Benjamin Bengfort <benjamin@bengfort.com> @@ -7,7 +7,7 @@ # Copyright (C) 2014 Bengfort.com # For license information, see LICENSE.txt # -# ID: paths_tests.py [] benjamin@bengfort.com $ +# ID: test_paths.py [] benjamin@bengfort.com $ """ Testing the paths descriptor
tests/test_safety.py+40 −0 added@@ -0,0 +1,40 @@ +# tests.test_safety +# Test that we're using safe methods +# +# Author: Benjamin Bengfort <benjamin@bengfort.com> +# Created: Fri Nov 10 12:22:35 2017 -0500 +# +# Copyright (C) 2014 Bengfort.com +# For license information, see LICENSE.txt +# +# ID: test_safety.py [] benjamin@bengfort.com $ + +""" +Testing the paths descriptor +""" + +########################################################################## +## Imports +########################################################################## + +import os + +from unittest import mock + + +# Cannot import from test_conf.py to ensure correct mock +TESTDATA = os.path.join(os.path.dirname(__file__), "testdata") +TESTCONF = os.path.join(TESTDATA, "testconf.yaml") + + +@mock.patch('confire.config.yaml') +def test_use_yaml_safe_load(mock_yaml): + """ + Ensure we're using yaml.safe_load not yaml.load + """ + from confire.config import Configuration + Configuration.CONF_PATHS = [TESTCONF] + Configuration.load() + + mock_yaml.safe_load.assert_called_once() + mock_yaml.load.assert_not_called()
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/bbengfort/confire/commit/8cc86a5ec2327e070f1d576d61bbaadf861597eanvdPatchThird Party AdvisoryWEB
- github.com/bbengfort/confire/issues/24nvdExploitThird Party AdvisoryWEB
- joel-malwarebenchmark.github.io/blog/2017/11/12/cve-2017-16763-configure-loaded-through-confire/nvdExploitThird Party Advisory
- github.com/advisories/GHSA-m85c-9mf8-m2m6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-16763ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/confire/PYSEC-2017-78.yamlghsaWEB
- joel-malwarebenchmark.github.io/blog/2017/11/12/cve-2017-16763-configure-loaded-through-confireghsaWEB
News mentions
0No linked articles in our index yet.