Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTNwcXgtNGZxZi1qNDlm
Deserialization of Untrusted Data in PyYAML
PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.
Permalink: https://github.com/advisories/GHSA-3pqx-4fqf-j49fJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTNwcXgtNGZxZi1qNDlm
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 3 years ago
Updated: over 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-3pqx-4fqf-j49f, CVE-2019-20477
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-20477
- https://github.com/yaml/pyyaml/blob/master/CHANGES
- https://lists.fedoraproject.org/archives/list/[email protected]/message/33VBUY73AA6CTTYL3LRWHNFDULV7PFPN/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/52N5XS73Z5S4ZN7I7R56ICCPCTKCUV4H/
- https://www.exploit-db.com/download/47655
- https://github.com/advisories/GHSA-3pqx-4fqf-j49f
Blast Radius: 49.9
Affected Packages
pypi:pyyaml
Dependent packages: 8,566Dependent repositories: 122,440
Downloads: 318,109,980 last month
Affected Version Ranges: >= 5.1, < 5.2
Fixed in: 5.2
All affected versions: 5.1.1, 5.1.2
All unaffected versions: 5.3.1, 5.4.1, 6.0.1