GHSA-rprw-h62v-c2w7

Source

https://github.com/advisories/GHSA-rprw-h62v-c2w7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-rprw-h62v-c2w7/GHSA-rprw-h62v-c2w7.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-rprw-h62v-c2w7

Aliases

Published

2019-01-04T17:45:26Z

Modified

2024-02-18T05:21:58.568072Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

PyYAML insecurely deserializes YAML strings leading to arbitrary code execution

Details

In PyYAML before 4.1, the yaml.load() API could execute arbitrary code. In other words, yaml.safe_load is not used.

References

Affected packages

PyPI / pyyaml

Package

Name: pyyaml; View open source insights on deps.dev
Purl: pkg:pypi/pyyaml

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.1

Affected versions

3.*

3.01

3.02

3.03

3.04

3.05

3.06

3.07

3.08

3.09

3.10

3.11

3.12

3.13b1

3.13rc1

3.13

Ecosystem specific

{
    "affected_functions": [
        "yaml.load",
        "yaml.dump",
        "safe_dump_all",
        "safe_dump",
        "yaml.CSafeLoader",
        "yaml.CLoader",
        "yaml.CSafeDumper",
        "yaml.CDumper",
        "yaml.SafeDumper",
        "yaml.Dumper",
        "yaml.SafeLoader",
        "yaml.Loader"
    ]
}