Potential remote code execution due to embedding of old django-piston

Type atlassian
Reporter dblack
Modified 2017-04-02T09:03:36


{panel:bgColor=#e7f4fa} NOTE: This bug report is for Confluence Cloud. Using Confluence Server? [See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-46819]. {panel}

The exposed (atlassian) api for forum_modules found under forum_modules/atlassian/api uses an outdated version of django-piston which does not contain the fix for a remote code execution bug due to the use of yaml.load instead of safe_load in the emitters.py python script(on line 412). Whilst it appears that the yaml module is not available on the production or staging instances of answers.atlassian.com this bug should still be fixed.