CVE-2023-49297

Summary

CVE-2023-49297 is a vulnerability affecting PyDrive2, a library used to simplify Google Drive API V2 tasks. The issue lies in the library's handling of YAML files, which can result in arbitrary code execution due to unsafe deserialization. A maliciously crafted YAML file, even if not directly loaded into the code, can trigger the vulnerability if PyDrive2 is initialized in the same directory. This deserialization attack, addressed in commit `c57355dc` and included in release version `1.16.2`, can be exploited without the need for file loading. Users are strongly advised to upgrade to the latest version to mitigate this risk, as no known workarounds are available.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.