Veracode Vulnerability DatabaseVERACODE:6866Remote Code Execution (RCE)
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
pyyaml is vulnerable to remote code execution (RCE) attacks. The application uses the unsafe function yaml.load(), allowing a malicious user to inject and execute arbitrary code by passing a yaml file.
References
github.com/marshmallow-code/apispec/issues/278
github.com/yaml/pyyaml/blob/master/CHANGES
github.com/yaml/pyyaml/commit/7b68405c81db889f83c32846462b238ccae5be80#diff-24ce40cb0919b1c87482d99e8831ac08
github.com/yaml/pyyaml/commit/bbcf95fa051fdba9bbf879332e2f7999b195cf95
github.com/yaml/pyyaml/issues/193
github.com/yaml/pyyaml/pull/74
github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
lists.fedoraproject.org/archives/list/[email protected]/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/
lists.fedoraproject.org/archives/list/[email protected]/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/
lists.fedoraproject.org/archives/list/[email protected]/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/
security.gentoo.org/glsa/202003-45
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P