Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTlxMnAtZmo0OS12cHhq

Moderate CVSS: 6.9 EPSS: 0.00189% (0.41057 Percentile) EPSS:
Permalink JSON

In marshmallow library the schema "only" option treats an empty list as implying no "only" option

Affected Packages Affected Versions Fixed Versions
pypi:marshmallow
PURL: pkg:pypi/marshmallow
< 2.15.1 2.15.1
705 Dependent packages
22,877 Dependent repositories
84,378,711 Downloads last month

Affected Version Ranges

All affected versions

0.1.0, 0.2.0, 0.2.1, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.6.0, 0.7.0, 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.4.1, 2.4.2, 2.5.0, 2.6.0, 2.6.1, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.8.0, 2.9.0, 2.9.1, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.10.5, 2.11.0, 2.11.1, 2.12.0, 2.12.1, 2.12.2, 2.13.0, 2.13.1, 2.13.2, 2.13.3, 2.13.4, 2.13.5, 2.13.6, 2.14.0, 2.15.0

All unaffected versions

2.15.1, 2.15.2, 2.15.3, 2.15.4, 2.15.5, 2.15.6, 2.16.0, 2.16.1, 2.16.2, 2.16.3, 2.17.0, 2.18.0, 2.18.1, 2.19.0, 2.19.1, 2.19.2, 2.19.3, 2.19.4, 2.19.5, 2.20.0, 2.20.1, 2.20.2, 2.20.3, 2.20.4, 2.20.5, 2.21.0, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.2.0, 3.2.1, 3.2.2, 3.3.0, 3.4.0, 3.5.0, 3.5.1, 3.5.2, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.8.0, 3.9.0, 3.9.1, 3.10.0, 3.11.0, 3.11.1, 3.12.0, 3.12.1, 3.12.2, 3.13.0, 3.14.0, 3.14.1, 3.15.0, 3.16.0, 3.17.0, 3.17.1, 3.18.0, 3.19.0, 3.20.0, 3.20.1, 3.20.2, 3.21.0, 3.21.1, 3.21.2, 3.21.3, 3.22.0, 3.23.0, 3.23.1, 3.23.2, 3.23.3, 3.24.0, 3.24.1, 3.24.2, 3.25.0, 3.25.1, 3.26.0, 3.26.1, 4.0.0, 4.0.1

In the marshmallow library before 2.15.1 and 3.x before 3.0.0b9 for Python, the schema "only" option treats an empty list as implying no "only" option, which allows a request that was intended to expose no fields to instead expose all fields (if the schema is being filtered dynamically using the "only" option, and there is a user role that produces an empty value for "only").

References:

Identifiers

GHSA-9q2p-fj49-vpxj

CVE-2018-17175

Risk

Severity

Moderate

CVSS

CVSS Score: 6.9

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS

EPSS Percentage: 0.00189

EPSS Percentile: 0.41057

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/marshmallow-code/marshmallow

Date and time

Published

almost 7 years ago

Updated

about 1 year ago

API

JSON