CVE-2018-8097:
Eve allows execution of arbitrary code
9.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.92898%
CWE
Published
7/12/2018
Updated
9/20/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
eve | pip | < 0.7.5 | 0.7.5 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the pre-patch version of visit_Call
in parser.py
, which directly used eval()
on user-controlled input (from the 'where' parameter). The commit f8f7019
replaced eval()
with safe object construction, confirming this was the attack vector. The CWE-94
classification and patch context indicate eval()
misuse was the root cause.