CVE-2007-1253 — Code Injection in Blender

CWE-94 — Code Injection CWE-95 — Eval Injection7 documents6 sources

Severity

9.3CRITICALNVD

EPSS

3.1%

top 13.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Blender Debian Blender

Timeline

PublishedMar 3

Latest updateMay 1

Description

Eval injection vulnerability in the (a) kmz_ImportWithMesh.py Script for Blender 0.1.9h, as used in (b) Blender before 2.43, allows user-assisted remote attackers to execute arbitrary Python code by importing a crafted (1) KML or (2) KMZ file.

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages3 packages

▶debiandebian/blender< blender 2.42a-6 (bookworm)

▶Debianblender/blender< 2.42a-6+2

▶NVDblender/blender2.42a+3

🔴Vulnerability Details

GHSA

GHSA-grpq-v752-9mjq: Eval injection vulnerability in the (a) kmz_ImportWithMesh↗2022-05-01

▶

OSV

CVE-2007-1253: Eval injection vulnerability in the (a) kmz_ImportWithMesh↗2007-03-03

▶

📋Vendor Advisories

Debian

CVE-2007-1253: blender - Eval injection vulnerability in the (a) kmz_ImportWithMesh.py Script for Blender...↗2007

▶

📐Framework References

CWE

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')↗

▶

CWE

Improper Control of Generation of Code ('Code Injection')↗

▶

💬Community

Bugzilla

CVE-2007-1253: blender arbitrary python code execution↗2007-05-07

▶