GHSA-rprw-h62v-c2w7CriticalCVSS 9.8
PyYAML insecurely deserializes YAML strings leading to arbitrary code execution
🔗 CVE IDs covered (1)
📋 Description
In PyYAML before 5.1, the yaml.load() API could execute arbitrary code. In other words, yaml.safe_load is not used.
This was intended to be fixed in 4.1, but due to breaking changes, 4.1 was yanked and 5.1 contains the patch for CVE-2017-18342.
🎯 Affected products1
- pip/PyYAML:< 5.1
🔗 References (14)
- https://nvd.nist.gov/vuln/detail/CVE-2017-18342
- https://github.com/marshmallow-code/apispec/issues/278
- https://github.com/yaml/pyyaml/issues/193
- https://github.com/yaml/pyyaml/pull/74
- https://github.com/yaml/pyyaml/blob/master/CHANGES
- https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
- https://security.gentoo.org/glsa/202003-45
- https://github.com/yaml/pyyaml/commit/7b68405c81db889f83c32846462b238ccae5be80
- https://github.com/pypa/advisory-database/tree/main/vulns/pyyaml/PYSEC-2018-49.yaml
- https://lists.fedoraproject.org/archives/list/[email protected]/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ
- https://lists.fedoraproject.org/archives/list/[email protected]/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE
- https://lists.fedoraproject.org/archives/list/[email protected]/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA
- https://github.com/yaml/pyyaml/issues/207#issuecomment-472520007
- https://github.com/advisories/GHSA-rprw-h62v-c2w7