Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2005-3302 — Code Injection in Blender

CWE-94 — Code Injection CWE-95 — Eval Injection7 documents6 sources

Severity

7.3HIGHNVD

EPSS

6.2%

top 9.10%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Blender Debian Blender Debian Linux

Timeline

PublishedOct 24

Latest updateMay 1

Description

Eval injection vulnerability in bvh_import.py in Blender 2.36 allows attackers to execute arbitrary Python code via a hierarchy element in a .bvh file, which is supplied to an eval function call.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 3.9 | Impact: 3.4

Affected Packages3 packages

▶debiandebian/blender< blender 2.37a-1 (bookworm)

▶Debianblender/blender< 2.37a-1+2

▶NVDblender/blender2.36

Also affects: Debian Linux 3.1

🔴Vulnerability Details

GHSA

GHSA-2q62-rw6m-pchg: Eval injection vulnerability in bvh_import↗2022-05-01

▶

OSV

CVE-2005-3302: Eval injection vulnerability in bvh_import↗2005-10-24

▶

💥Exploits & PoCs

Exploit-DB

Blender 2.36 - '.BVF' File Import Python Code Execution↗2006-04-24

▶

📋Vendor Advisories

Debian

CVE-2005-3302: blender - Eval injection vulnerability in bvh_import.py in Blender 2.36 allows attackers t...↗2005

▶

📐Framework References

CWE

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')↗

▶

CWE

Improper Control of Generation of Code ('Code Injection')↗

▶