9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.014 Low
EPSS
Percentile
86.4%
In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if
used with untrusted data. The load() function has been deprecated in
version 5.1 and the ‘UnsafeLoader’ has been introduced for backward
compatibility with the function.
Author | Note |
---|---|
seth-arnold | The patch changes the incredibly-unsafe yaml.load to the behaviour of safe_load; despite being many years overdue, it’s also likely to break something. |
mdeslaur | upstream has reverted the 4.1 fix, so as of 2020-10-06, there is no proper fix for this issue for stable releases, and fixing it is likely to cause compatibility issues. In stable releases individual software would need to be fixed instead of pyyaml itself. We are not going to be fixing pyyaml itself, marking as ignored. |
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.014 Low
EPSS
Percentile
86.4%