Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXJwcnctaDYydi1jMnc3
PyYAML insecurely deserializes YAML strings leading to arbitrary code execution
In PyYAML before 4.1, the yaml.load() API could execute arbitrary code. In other words, yaml.safe_load is not used.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXJwcnctaDYydi1jMnc3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 6 years ago
Updated: about 2 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-rprw-h62v-c2w7, CVE-2017-18342
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-18342
- https://github.com/marshmallow-code/apispec/issues/278
- https://github.com/yaml/pyyaml/issues/193
- https://github.com/yaml/pyyaml/pull/74
- https://github.com/yaml/pyyaml/blob/master/CHANGES
- https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
- https://security.gentoo.org/glsa/202003-45
- https://github.com/yaml/pyyaml/commit/7b68405c81db889f83c32846462b238ccae5be80
- https://github.com/pypa/advisory-database/tree/main/vulns/pyyaml/PYSEC-2018-49.yaml
- https://lists.fedoraproject.org/archives/list/[email protected]/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ
- https://lists.fedoraproject.org/archives/list/[email protected]/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE
- https://lists.fedoraproject.org/archives/list/[email protected]/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA
- https://github.com/advisories/GHSA-rprw-h62v-c2w7
Blast Radius: 49.9
Affected Packages
pypi:pyyaml
Dependent packages: 8,566Dependent repositories: 122,440
Downloads: 375,853,022 last month
Affected Version Ranges: < 4.1
Fixed in: 4.1
All affected versions:
All unaffected versions: 5.1.1, 5.1.2, 5.3.1, 5.4.1, 6.0.1, 6.0.2