CVE-2017-18342

critical

Description

In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.

References

Advisories
More

https://security.gentoo.org/glsa/202003-45

https://github.com/yaml/pyyaml/pull/74

https://github.com/yaml/pyyaml/issues/193

https://github.com/yaml/pyyaml/blob/master/CHANGES

https://github.com/marshmallow-code/apispec/issues/278

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/

https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load%28input%29-Deprecation

Details

Source: Mitre, NVD

Published: 2018-06-27

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.04784

Detections

Analytics