Cheetah 0.9.15 and 0.9.16 searches the /tmp directory for modules before using the paths in the PYTHONPATH variable, which allows local users to execute arbitrary code via a malicious module in /tmp/.
Software | From | Fixed in |
---|---|---|
tavis_rudd / cheetah | 0.9.15 | 0.9.15.x |
tavis_rudd / cheetah | 0.9.16 | 0.9.16.x |