Overview
PyYAML insecurely deserializes YAML strings leading to arbitrary code execution
Advisory
Pyyaml before 4 uses ``yaml.load`` which has been assigned CVE-2017-18342.
How to Fix
Upgrade
pyyaml
to4.2b1
or higher.Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20180627-11685/CVE-2017-18342
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342
- https://github.com/marshmallow-code/apispec/issues/278
- https://github.com/yaml/pyyaml/blob/master/CHANGES
- https://github.com/yaml/pyyaml/issues/193
- https://github.com/yaml/pyyaml/pull/74
- https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/
- https://security.gentoo.org/glsa/202003-45
- https://nvd.nist.gov/vuln/detail/CVE-2017-18342
- https://github.com/marshmallow-code/apispec/issues/278
- https://github.com/yaml/pyyaml/issues/193
- https://github.com/yaml/pyyaml/pull/74
- https://github.com/yaml/pyyaml/blob/master/CHANGES
- https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
- https://security.gentoo.org/glsa/202003-45
- https://github.com/yaml/pyyaml/commit/7b68405c81db889f83c32846462b238ccae5be80
- https://github.com/pypa/advisory-database/tree/main/vulns/pyyaml/PYSEC-2018-49.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA
- https://github.com/advisories/GHSA-rprw-h62v-c2w7
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more