Miggo Logo

CVE-2022-2054: Command Injection in Nuitka

7.8

CVSS Score
3.1

Basic Information

EPSS Score
0.33364%
Published
6/13/2022
Updated
9/26/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
Nuitkapip<= 0.8.40.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from multiple instances where eval() was used to process untrusted input (environment variables, file contents, XML data). The GitHub patch shows systematic replacement of eval() with ast.literal_eval(), which safely evaluates literal structures instead of executing arbitrary code. Each identified function directly used eval() on external inputs that could be controlled by an attacker, making them clear injection points. The high confidence comes from: 1) Official patch directly addressing these functions 2) CWE-77/94 alignment with eval() misuse patterns 3) Environment variables and external data being common attack vectors for injection.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Nuitk* *.*.* *n* prior is vuln*r**l* to *omm*n* inj**tion. * p*t** is *v*il**l* *n* *nti*ip*t** to ** p*rt o* t** `*.*` r*l**s*.

Reasoning

T** vuln*r**ility st*ms *rom multipl* inst*n**s w**r* *v*l() w*s us** to pro**ss untrust** input (*nvironm*nt v*ri**l*s, *il* *ont*nts, XML **t*). T** *it*u* p*t** s*ows syst*m*ti* r*pl***m*nt o* *v*l() wit* *st.lit*r*l_*v*l(), w*i** s***ly *v*lu*t*s