Miggo Logo
Miggo Vulnerability Database
CVE-2018-8097

CVE-2018-8097:
Eve allows execution of arbitrary code

9.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2018-8097
GHSA ID
GHSA-8jxq-75rw-fhj9
EPSS Score
0.92898%
CWE
CWE-94
Published
7/12/2018
Updated
9/20/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
evepip< 0.7.50.7.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the pre-patch version of visit_Call in parser.py, which directly used eval() on user-controlled input (from the 'where' parameter). The commit f8f7019 replaced eval() with safe object construction, confirming this was the attack vector. The CWE-94 classification and patch context indicate eval() misuse was the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

`io/mon*o/p*rs*r.py` in *v* (*k* py*v*) ***or* *.*.* *llows r*mot* *tt**k*rs to *x**ut* *r*itr*ry *o** vi* *o** Inj**tion in t** `w**r*` p*r*m*t*r.

Reasoning

T** vuln*r**ility st*ms *rom t** pr*-p*t** v*rsion o* `visit_**ll` in `p*rs*r.py`, w*i** *ir**tly us** `*v*l()` on us*r-*ontroll** input (*rom t** 'w**r*' p*r*m*t*r). T** *ommit `*******` r*pl**** `*v*l()` wit* s*** o*j**t *onstru*tion, *on*irmin* t*