CVE-2018-17175

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2018-17175
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-17175.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2018-17175
Aliases
Published
2018-09-18T17:29:01Z
Modified
2024-05-30T01:43:01.916484Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
[none]
Details

In the marshmallow library before 2.15.1 and 3.x before 3.0.0b9 for Python, the schema "only" option treats an empty list as implying no "only" option, which allows a request that was intended to expose no fields to instead expose all fields (if the schema is being filtered dynamically using the "only" option, and there is a user role that produces an empty value for "only").

References

Affected packages

Git / github.com/marshmallow-code/marshmallow

Affected ranges

Type
GIT
Repo
https://github.com/marshmallow-code/marshmallow
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

0.*

0.1.0
0.2.0
0.2.1
0.3.0
0.3.1
0.4.0
0.4.1
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.6.0
0.7.0

1.*

1.0-a
1.0.0
1.0.1
1.1.0
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6

2.*

2.0.0
2.0.0a1
2.0.0b1
2.0.0b2
2.0.0b3
2.0.0b4
2.0.0b5
2.0.0rc1
2.0.0rc2
2.1.0
2.1.1
2.1.2
2.1.3
2.10.0
2.10.1
2.10.2
2.10.3
2.10.4
2.10.5
2.11.0
2.11.1
2.12.0
2.12.1
2.12.2
2.13.0
2.13.1
2.13.2
2.13.3
2.13.4
2.13.5
2.13.6
2.14.0
2.15.0
2.2.0
2.2.1
2.3.0
2.4.0
2.4.1
2.4.2
2.5.0
2.6.0
2.6.1
2.7.0
2.7.1
2.7.2
2.8.0
2.9.0
2.9.1