CVE-2017-18342
Published: June 27, 2018Last modified: November 9, 2023
Description
In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 9.8 |
| Attack Vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | HIGH |
| Integrity impact | HIGH |
| Availability impact | HIGH |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | py3-yaml | Not affected (6.0-r1) |
| Stream | py3-yaml | Not affected (6.0.1-r1) |
References
- https://github.com/marshmallow-code/apispec/issues/278
- https://github.com/yaml/pyyaml/blob/master/CHANGES
- https://github.com/yaml/pyyaml/issues/193
- https://github.com/yaml/pyyaml/pull/74
- https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load%28input%29-Deprecation
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/
- https://security.gentoo.org/glsa/202003-45