Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXB2aHAtdjlxcC14ZjVy
Django-piston and Django-tastypie do not properly deserialize YAML data
emitters.py in Django Piston before 0.2.3 and 0.2.x before 0.2.2.1 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method.
Django Tastypie has a very similar vulnerability.
Permalink: https://github.com/advisories/GHSA-pvhp-v9qp-xf5rJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXB2aHAtdjlxcC14ZjVy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 6 years ago
Updated: 9 months ago
Identifiers: GHSA-pvhp-v9qp-xf5r, CVE-2011-4103
References:
- https://nvd.nist.gov/vuln/detail/CVE-2011-4103
- https://bitbucket.org/jespern/django-piston/commits/91bdaec89543/
- https://bugzilla.redhat.com/show_bug.cgi?id=750658
- https://github.com/advisories/GHSA-pvhp-v9qp-xf5r
- https://www.djangoproject.com/weblog/2011/nov/01/piston-and-tastypie-security-releases/
- http://www.debian.org/security/2011/dsa-2344
- http://www.openwall.com/lists/oss-security/2011/11/01/10
Blast Radius: 0.0
Affected Packages
pypi:django-piston
Dependent packages: 0Dependent repositories: 159
Downloads: 512 last month
Affected Version Ranges: >= 0.2.2.2, < 0.2.3, >= 0.2.0, <= 0.2.2.0
Fixed in: 0.2.3, 0.2.2.1
All affected versions: 0.0.1, 0.2.1, 0.2.2, 0.2.3
All unaffected versions: