GitHub Advisory DatabaseGHSA-9Q2P-FJ49-VPXJIn marshmallow library the schema "only" option treats an empty list as implying no "only" option
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS
Percentile
43.4%
In the marshmallow library before 2.15.1 and 3.x before 3.0.0b9 for Python, the schema “only” option treats an empty list as implying no “only” option, which allows a request that was intended to expose no fields to instead expose all fields (if the schema is being filtered dynamically using the “only” option, and there is a user role that produces an empty value for “only”).
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| marshmallow_project | marshmallow | * | cpe:2.3:a:marshmallow_project:marshmallow:*:*:*:*:*:*:*:* |
References
github.com/advisories/GHSA-9q2p-fj49-vpxj
github.com/marshmallow-code/marshmallow/issues/772
github.com/marshmallow-code/marshmallow/pull/777
github.com/marshmallow-code/marshmallow/pull/782
github.com/pypa/advisory-database/tree/main/vulns/marshmallow/PYSEC-2018-67.yaml
nvd.nist.gov/vuln/detail/CVE-2018-17175
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS
Percentile
43.4%