Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXB2aHAtdjlxcC14ZjVy
Django-piston and Django-tastypie do not properly deserialize YAML data
emitters.py in Django Piston before 0.2.3 and 0.2.x before 0.2.2.1 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method.
Django Tastypie has a very similar vulnerability.
Permalink: https://github.com/advisories/GHSA-pvhp-v9qp-xf5rJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXB2aHAtdjlxcC14ZjVy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 6 years ago
Updated: 2 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-pvhp-v9qp-xf5r, CVE-2011-4103
References:
- https://nvd.nist.gov/vuln/detail/CVE-2011-4103
- https://bugzilla.redhat.com/show_bug.cgi?id=750658
- https://github.com/advisories/GHSA-pvhp-v9qp-xf5r
- http://www.debian.org/security/2011/dsa-2344
- http://www.openwall.com/lists/oss-security/2011/11/01/10
- https://bitbucket.org/jespern/django-piston/commits/91bdaec89543
- https://github.com/pypa/advisory-database/tree/main/vulns/django-piston/PYSEC-2014-24.yaml
- https://www.djangoproject.com/weblog/2011/nov/01/piston-and-tastypie-security-releases
Blast Radius: 21.6
Affected Packages
pypi:django-piston
Dependent packages: 0Dependent repositories: 159
Downloads: 737 last month
Affected Version Ranges: >= 0.2.0, < 0.2.2.1
Fixed in: 0.2.2.1
All affected versions: 0.2.1, 0.2.2, 0.2.3
All unaffected versions: 0.0.1