CVE-2023-49297: 
Python vulnerability analysis and mitigation

PyDrive2, a wrapper library for google-api-python-client that simplifies Google Drive API V2 tasks, was found to contain a deserialization vulnerability (CVE-2023-49297) discovered in December 2023. The vulnerability affects versions up to and including 1.16.1, with the fix being released in version 1.16.2. This security issue involves unsafe YAML deserialization that could lead to arbitrary code execution (GitHub Advisory).

The vulnerability stems from the use of unsafe YAML deserialization in the LoadSettingsFile function. The issue occurs because the library uses CLoader from the yaml library, which is considered unsafe as it allows execution of any Python code contained within the YAML file. The vulnerability is triggered when initializing GoogleAuth while a malicious yaml file is present in the same directory, or when such a file is loaded via LoadSettingsFile. The CVSS v3.1 base score is 7.8 HIGH, with vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (GitHub Advisory, NVD).

The vulnerability allows attackers to execute arbitrary code through a maliciously crafted YAML file. What makes this vulnerability particularly concerning is that it doesn't require the file to be directly loaded through the code - merely having the malicious file present in the same directory as the PyDrive2 application is sufficient to trigger the vulnerability (GitHub Advisory).

The vulnerability has been patched in PyDrive2 version 1.16.2 by replacing the unsafe CLoader with CSafeLoader. Users are strongly advised to upgrade to version 1.16.2 or later. The fix was implemented in commit c57355dc. There are no known workarounds for this vulnerability other than upgrading to a patched version (GitHub Advisory, Fedora Update).