The Debian python-rdflib-tools 4.2.2-1 package for RDFLib 4.2.2 has CLI tools that can load Python modules from the current working directory, allowing code injection, because "python -m" looks in this directory, as demonstrated by rdf2dot. This issue is specific to use of the debian/scripts directory. Reference: https://bugs.debian.org/921751
Created python-rdflib tracking bugs for this issue: Affects: fedora-all [bug 1676378]
Created python-rdflib tracking bugs for this issue: Affects: epel-all [bug 1676379]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.