258 matches found
Code injection
Drupal core 8 before versions 8.3.4 allows remote attackers to execute arbitrary code due to the PECL YAML parser not handling PHP objects safely during certain operations...
CVE-2017-6920
Drupal core 8 before versions 8.3.4 allows remote attackers to execute arbitrary code due to the PECL YAML parser not handling PHP objects safely during certain operations...
CVE-2017-6920
Drupal core 8 before versions 8.3.4 allows remote attackers to execute arbitrary code due to the PECL YAML parser not handling PHP objects safely during certain operations...
CVE-2017-6920
CVE-2017-6920 affects Drupal core 8.x before 8.3.4. Root cause: the PECL YAML parser does not safely handle PHP objects during certain operations, enabling remote code execution by an unauthenticated attacker. The provided documents do not specify exploitation vectors beyond this description, nor...
CVE-2017-6920
Drupal core 8 before versions 8.3.4 allows remote attackers to execute arbitrary code due to the PECL YAML parser not handling PHP objects safely during certain operations...
Remote Code Execution (RCE)
confire is vulnerable to remote code execution attacks. The attacks can happen because the config.py file allows users to parse their configuration from the /.confire.yaml through the yaml.load function of the YAML parser, allowing attackers to inject and execute arbitrary python commands...
Arbitrary Code Execution
owlmixin is vulnerable to arbitrary code execution attacks. It does not use the safeload method to parse YAML in the parseyamlquery method of parser.py, allowing the attacker to load any malicious Python code to the YAML parser...
Arbitrary Code Execution
pyanyapi is vulnerable to arbitrary code execution attacks. It does not use the safeload method to parse YAML in the parseyamlquery method of parser.py, allowing the attacker to load any malicious Python code to the YAML parser...
Arbitrary Code Execution
mlalchemy is vulnerable to arbitrary code execution attacks. It does not use the safeload method to parse YAML in the parseyamlquery method of parser.py, allowing the attacker to load any malicious Python code to the YAML parser...
RubyGems: Remote code execution on rubygems.org
When parsing a gem POSTed to the /api/v1/gems endpoint, the rubygems.org application immediately calls Gem::Package.newbody.spec inside app/models/pusher.rb. The authors of the application correctly observed that parsing untrusted YAML is dangerous since it can serialize more or less arbitrary...
FreeBSD : drupal -- Drupal Core - Multiple Vulnerabilities (4fc2df49-6279-11e7-be0f-6cf0497db129)
Drupal Security Team Reports : CVE-2017-6920: PECL YAML parser unsafe object handling. CVE-2017-6921: File REST resource does not properly validate CVE-2017-6922: Files uploaded by anonymous users into a private file system can be accessed by other anonymous users. %NASLMINLEVEL 70300 C Tenable...
Drupal 7.x < 7.56 / 8.x < 8.3.4 Multiple Vulnerabilities (SA-CORE-2017-003)
According to its self-reported version, the instance of Drupal running on the remote web server is 7.x prior to 7.56 or 8.x prior to 8.3.4. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the PECL YAML parser due to unsafe handling of PHP objects during certain...
PECL YAML parser unsafe object handling
More info at https://www.drupal.org/SA-CORE-2017-003...
PECL YAML parser unsafe object handling
More info at https://www.drupal.org/SA-CORE-2017-003...
yaml-cpp denial of service vulnerability
yaml-cpp also known as LibYaml-C ++ is a YAML parser. A denial of service vulnerability in the SingleDocParser :: HandleNode function in yaml-cpp version 0.5.3 allows remote attackers to cause a denial of service stack consumption and application crash via a crafted YAML file...
[SECURITY] Fedora 22 Update: PyYAML-3.11-7.fc22
YAML is a data serialization format designed for human readability and interaction with scripting languages. PyYAML is a YAML parser and emitter for Python. PyYAML features a complete YAML 1.1 parser, Unicode support, pickle support, capable extension API, and sensible error messages. PyYAML...
[SECURITY] Fedora 21 Update: PyYAML-3.11-7.fc21
YAML is a data serialization format designed for human readability and interaction with scripting languages. PyYAML is a YAML parser and emitter for Python. PyYAML features a complete YAML 1.1 parser, Unicode support, pickle support, capable extension API, and sensible error messages. PyYAML...
Debian DLA-127-1 : pyyaml security update
Jonathan Gray and Stanislaw Pitucha found an assertion failure in the way wrapped strings are parsed in Python-YAML, a YAML parser and emitter for Python. An attacker able to load specially crafted YAML input into an application using python-yaml could cause the application to crash. NOTE: Tenabl...
Moderate: Red Hat Security Advisory: libyaml security update
Updated libyaml packages that fix one security issue are now available for Red Hat Enterprise Linux OpenStack Platform 4.0 and 5.0 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System CVSS base...
USN-2461-3: PyYAML vulnerability
Stanisław Pitucha and Jonathan Gray discovered that PyYAML did not properly handle wrapped strings. An attacker could create specially crafted YAML data to trigger an assert, causing a denial of service...