We use cookies to improve your experience on our site.
AVID-2026-R1158
Description
Vulnerability CVE-2022-42036
Details
The d8s-urls package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-csv package. The affected version is 0.1.0.
Reason for inclusion in AVID: The CVE-2022-42036 vulnerability describes a code-execution backdoor inserted into the Python package d8s-urls, distributed via PyPI, with the backdoor implemented via the democritus-csv package. This is a software supply chain issue in a dependency that could be used in AI pipelines or AI-related tooling, affecting general-purpose AI system stacks. It is a security vulnerability (remote code execution/backdoor) and there is credible evidence (NVD entry, PyPI pages, GitHub issue) supporting the vulnerability and its scope.
References
- NVD entry
- https://pypi.org/project/d8s-urls/
- https://pypi.org/project/democritus-csv/
- https://github.com/democritus-project/d8s-urls/issues/12
Affected or Relevant Artifacts
- Developer: n/a
- Deployer: n/a
- Artifact Details:
| Type | Name |
|---|---|
| System | n/a |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2022-10-11
- Version: 0.3.3
- AVID Entry