A vulnerability was discovered in the PyYAML library in versions before
5.4, where it is susceptible to arbitrary code execution when it processes
untrusted YAML files through the full_load method or with the FullLoader
loader. Applications that use the library to process untrusted input may be
vulnerable to this flaw. This flaw allows an attacker to execute arbitrary
code on the system by abusing the python/object/new constructor. This flaw
is due to an incomplete fix for CVE-2020-1747.

Bugs

<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=966233>
<https://github.com/yaml/pyyaml/issues/420>

Notes

Author	Note
sbeattie	incomplete fix of CVE-2020-1747
mdeslaur	FullLoader was introduced in 5.1. FullLoader should not be used on untrusted input.

OSVersionArchitecturePackageVersionFilename
ubuntu20.04noarchpyyaml< 5.3.1-1ubuntu0.1UNKNOWN
ubuntu20.10noarchpyyaml< 5.3.1-2ubuntu0.1UNKNOWN
ubuntu21.04noarchpyyaml< 5.3.1-3ubuntu1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	20.04	noarch	pyyaml	< 5.3.1-1ubuntu0.1	UNKNOWN
ubuntu	20.10	noarch	pyyaml	< 5.3.1-2ubuntu0.1	UNKNOWN
ubuntu	21.04	noarch	pyyaml	< 5.3.1-3ubuntu1	UNKNOWN

References

github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation

launchpad.net/bugs/cve/CVE-2020-14343

nvd.nist.gov/vuln/detail/CVE-2020-14343

security-tracker.debian.org/tracker/CVE-2020-14343

ubuntu.com/security/notices/USN-4940-1

www.cve.org/CVERecord?id=CVE-2020-14343

nessus 49

osv 11

alpinelinux 2

cvelist 2

openvas 30

freebsd 2

gentoo 1

github 2

prion 2

veracode 2

redhatcve 2

mageia 2

redhat 3

attackerkb 1

rocky 2

debiancve 2

almalinux 2

githubexploit 1

cve 2

fedora 5

oraclelinux 2

redos 18

ubuntu 1

ibm 9

photon 11

cbl_mariner 2

suse 2

altlinux 1

ubuntucve 1

oracle 3

nessus

EulerOS Virtualization for ARM 64 3.0.6.0 : PyYAML (EulerOS-SA-2021-1565)

2021-03-04 00:00:00

EulerOS 2.0 SP9 : PyYAML (EulerOS-SA-2021-1958)

2021-06-03 00:00:00

GLSA-202402-33 : PyYAML: Arbitrary Code Execution

2024-02-26 00:00:00

osv

Moderate: python38:3.8 and python38-devel:3.8 security update

2021-06-29 13:57:32

CVE-2020-14343

2021-02-09 21:15:12

Moderate: python38:3.8 and python38-devel:3.8 security update

2021-06-29 13:57:32

alpinelinux

CVE-2020-14343

2021-02-09 21:15:00

CVE-2020-1747

2020-03-24 15:15:00

cvelist

CVE-2020-14343

2021-02-09 00:00:00

CVE-2020-1747

2020-03-24 13:56:37

openvas

Huawei EulerOS: Security Advisory for PyYAML (EulerOS-SA-2021-2078)

2021-07-07 00:00:00

Huawei EulerOS: Security Advisory for PyYAML (EulerOS-SA-2021-1565)

2021-03-05 00:00:00

Huawei EulerOS: Security Advisory for PyYAML (EulerOS-SA-2021-1723)

2021-04-13 00:00:00

freebsd

PyYAML -- arbitrary code execution

2020-07-22 00:00:00

py-yaml -- FullLoader (still) exploitable for arbitrary command execution

2020-03-02 00:00:00

gentoo

PyYAML: Arbitrary Code Execution

2024-02-26 00:00:00

github

Improper Input Validation in PyYAML

2021-03-25 21:26:26

Improper Input Validation in PyYAML

2021-04-20 16:14:24

prion

Input validation

2021-02-09 21:15:00

Input validation

2020-03-24 15:15:00

veracode

Arbitrary Code Execution

2020-10-27 05:37:05

Remote Code Execution

2020-03-03 03:39:05

redhatcve

CVE-2020-14343

2020-07-24 17:37:40

CVE-2020-1747

2020-03-02 09:41:10

mageia

Updated python-yaml packages fix security vulnerability

2021-03-12 04:25:47

Updated python-yaml packages fix security vulnerability

2020-04-03 01:48:49

redhat

(RHSA-2021:2583) Moderate: python38:3.8 and python38-devel:3.8 security update

2021-06-29 13:57:32

(RHSA-2020:4641) Moderate: python38:3.8 security, bug fix, and enhancement update

2020-11-03 12:23:02

(RHSA-2021:4702) Moderate: Satellite 6.10 Release

2021-11-16 13:58:57

attackerkb

CVE-2020-14343

2021-02-09 00:00:00

rocky

python38:3.8 and python38-devel:3.8 security update

2021-06-29 13:57:32

python38:3.8 security, bug fix, and enhancement update

2020-11-03 12:23:02

debiancve

CVE-2020-14343

2021-02-09 21:15:00

CVE-2020-1747

2020-03-24 15:15:00

almalinux

Moderate: python38:3.8 and python38-devel:3.8 security update

2021-06-29 13:57:32

Moderate: python38:3.8 security, bug fix, and enhancement update

2020-11-03 12:23:02

githubexploit

Exploit for Improper Input Validation in Pyyaml

2021-06-27 06:56:15

cve

CVE-2020-14343

2021-02-09 21:15:00

CVE-2020-1747

2020-03-24 15:15:00

fedora

[SECURITY] Fedora 32 Update: PyYAML-5.4.1-1.fc32

2021-01-30 01:42:55

[SECURITY] Fedora 33 Update: PyYAML-5.4.1-1.fc33

2021-01-23 01:32:47

[SECURITY] Fedora 30 Update: PyYAML-5.3.1-1.fc30

2020-03-27 10:46:20

oraclelinux

python38:3.8 and python38-devel:3.8 security update

2021-07-02 00:00:00

python38:3.8 security, bug fix, and enhancement update

2020-11-10 00:00:00

redos

ROS-2-534

2021-09-08 00:00:00

ROS-2-509

2021-12-24 00:00:00

ROS-2-723

2021-09-08 00:00:00

ubuntu

PyYAML vulnerability

2021-05-10 00:00:00

ibm

Security Bulletin: Vulnerability in PyYAML affects IBM Cloud Pak for Data System 2.0 (CPDS 2.0) [CVE-2020-14343]

2024-03-11 12:51:16

Security Bulletin: Vulnerability in PyYAML affects IBM Spectrum Protect Plus Container and Microsoft File Systems Agents (CVE-2020-1747)

2020-12-04 06:02:50

Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities

2020-10-09 20:01:39

photon

Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2021-1.0-0361

2021-02-22 00:00:00

Critical Photon OS Security Update - PHSA-2021-0190

2021-02-02 00:00:00

Critical Photon OS Security Update - PHSA-2021-3.0-0190

2021-02-02 00:00:00

cbl_mariner

CVE-2020-14343 affecting package PyYAML for versions less than 5.4.1-1

2023-11-10 17:45:58

CVE-2020-1747 affecting package PyYAML for versions less than 5.4.1-1

2023-11-10 17:45:58

suse

Security update for python-PyYAML (important)

2020-04-12 00:00:00

Security update for python-PyYAML (important)

2020-05-11 00:00:00

altlinux

Security fix for the ALT Linux 9 package python-module-yaml version 5.4.1-alt0.p9

2021-03-22 00:00:00

ubuntucve

CVE-2020-1747

2020-03-24 00:00:00

oracle

Oracle Critical Patch Update Advisory - July 2022

2022-07-19 00:00:00

Oracle Critical Patch Update Advisory - April 2023

2023-04-18 00:00:00

Oracle Critical Patch Update Advisory - April 2022

2022-04-19 00:00:00

Solutions

Vulnerabilities intelligence
Perimeter control tool
Linux scanner
Windows scanner
Developers SDK
Security Intelligence feeds

Database

Vulnerabilities
Exploits
Security News
BugBounty
Wild Exploited
Top Vulnerabilities
CVE Feed

Resources

Statics & Sources
Plugins
API docs
FAQ
Blog
Glossary

Company

About
Contacts
Pricing
EULA
Privacy Policy
Submission Policy
OpenSource

@2024 Vulners Inc

0.003 Low

EPSS

Percentile

67.7%

JSON

Related for UB:CVE-2020-14343