CVE-2005-3302
published 2005-10-24CVE-2005-3302: Eval injection vulnerability in bvh_import.py in Blender 2.36 allows attackers to execute arbitrary Python code via a hierarchy element in a .bvh file, which…
PriorityP337high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
EXPLOIT
EPSS
3.88%
88.9th percentile
Eval injection vulnerability in bvh_import.py in Blender 2.36 allows attackers to execute arbitrary Python code via a hierarchy element in a .bvh file, which is supplied to an eval function call.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| blender | blender | — | — |
| blender | blender | >= 0 < 2.37a-1 | 2.37a-1 |
| blender | blender | >= 0 < 2.37a-1 | 2.37a-1 |
| blender | blender | >= 0 < 2.37a-1 | 2.37a-1 |
| debian | blender | < blender 2.37a-1 (bookworm) | blender 2.37a-1 (bookworm) |
| debian | debian_linux | — | — |
CVSS provenance
nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.3HIGH
vendor_debian7.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2005-3302: blender - Eval injection vulnerability in bvh_import.py in Blender 2.36 allows attackers t...
vendor_debian·2005·CVSS 7.3
CVE-2005-3302 [HIGH] CVE-2005-3302: blender - Eval injection vulnerability in bvh_import.py in Blender 2.36 allows attackers t...
Eval injection vulnerability in bvh_import.py in Blender 2.36 allows attackers to execute arbitrary Python code via a hierarchy element in a .bvh file, which is supplied to an eval function call.
Scope: local
bookworm: resolved (fixed in 2.37a-1)
bullseye: resolved (fixed in 2.37a-1)
sid: resolved (fixed in 2.37a-1)
trixie: resolved (fixed in 2.37a-1)
GHSA
GHSA-2q62-rw6m-pchg: Eval injection vulnerability in bvh_import
ghsa_unreviewed·2022-05-01
CVE-2005-3302 [HIGH] CWE-94 GHSA-2q62-rw6m-pchg: Eval injection vulnerability in bvh_import
Eval injection vulnerability in bvh_import.py in Blender 2.36 allows attackers to execute arbitrary Python code via a hierarchy element in a .bvh file, which is supplied to an eval function call.
OSV
CVE-2005-3302: Eval injection vulnerability in bvh_import
osv·2005-10-24·CVSS 7.3
CVE-2005-3302 [HIGH] CVE-2005-3302: Eval injection vulnerability in bvh_import
Eval injection vulnerability in bvh_import.py in Blender 2.36 allows attackers to execute arbitrary Python code via a hierarchy element in a .bvh file, which is supplied to an eval function call.
No detection rules found.
No writeups or analysis indexed.
CWE
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
mitre_cwe
CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
Modes of Introduction:
Phase: Implementation
Note: REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Phase: Implementation
Note: This weakness is prevalent in handler/dispatch procedures that might want to invoke a large number of functions, or set a large number of variables.
Common Consequences:
Scope: Confidentiality. Impact: Read Files or Directories, Read Application Data. The injected code could access restricted data / files.
Scope: Access Control. Impact:
CWE
Improper Control of Generation of Code ('Code Injection')
mitre_cwe
CWE-94 Improper Control of Generation of Code ('Code Injection')
CWE-94: Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Modes of Introduction:
Phase: Implementation
Note: REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Common Consequences:
Scope: Access Control. Impact: Bypass Protection Mechanism. In some cases, injectable code controls authentication; this may lead to a remote vulnerability.
Scope: Access Control. Impact: Gain Privileges or Assume Identity. Injected code can access resources that the attacker is directly prevented from ac
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330895http://secunia.com/advisories/19754http://www.debian.org/security/2006/dsa-1039http://www.securityfocus.com/bid/17663http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330895http://secunia.com/advisories/19754http://www.debian.org/security/2006/dsa-1039http://www.securityfocus.com/bid/17663
2005-10-24
Published