CVE-2022-41380 d8s-yaml has a backdoor. It is democritus-file-system.

The package was installed on the system using the d8s-yaml package, which is vulnerable to remote code execution. This backdoor was added by a third party and was not maintained by the original author. The code was removed from the package on Dec. 1, 2018.

In addition to the above issues, the d8s-yaml package on PyPI had issues with its documentation and licensing. The open-source package license was unclear and the documentation was incomplete. The d8s-yaml package had issues with its dependency resolution process as well.
In addition to these issues, the d8s-yaml package on PyPI had issues with its license and documentation. The package license was unclear and the documentation was incomplete.

D

8s-Yaml Package: 5 Lessons

The d8s-yaml package had issues with its license and documentation. The package license was unclear and the documentation was incomplete.
The d8s-yaml package on PyPI had issues with its dependency resolution process as well. The open-source package also had issues with its documentation.

Timeline

Published on: 10/11/2022 22:15:00 UTC
Last modified on: 10/12/2022 18:55:00 UTC

References

• https://pypi.org/project/d8s-yaml/
• https://github.com/democritus-project/d8s-yaml/issues/4
• https://pypi.org/project/democritus-file-system/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41380