Vulnerability Details : CVE-2017-18342
In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.
Vulnerability category: Execute code
Products affected by CVE-2017-18342
- cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
- cpe:2.3:a:pyyaml:pyyaml:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-18342
4.70%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 88 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-18342
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2017-18342
-
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-18342
-
https://github.com/yaml/pyyaml/pull/74
Make pyyaml safe by default. by alex · Pull Request #74 · yaml/pyyaml · GitHubPatch;Third Party Advisory
-
https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
PyYAML yaml.load(input) Deprecation · yaml/pyyaml Wiki · GitHubThird Party Advisory
-
https://github.com/yaml/pyyaml/blob/master/CHANGES
pyyaml/CHANGES at master · yaml/pyyaml · GitHubRelease Notes;Third Party Advisory
-
https://github.com/yaml/pyyaml/issues/193
PyYAML 4.2 Release Plan · Issue #193 · yaml/pyyaml · GitHubThird Party Advisory
-
https://github.com/marshmallow-code/apispec/issues/278
Use 'yaml.safe_load' in 'load_yaml_from_docstring' · Issue #278 · marshmallow-code/apispec · GitHubThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/
[SECURITY] Fedora 30 Update: PyYAML-5.1-1.fc30 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/
[SECURITY] Fedora 28 Update: PyYAML-5.1-1.fc28 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/
[SECURITY] Fedora 29 Update: PyYAML-5.1-1.fc29 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://security.gentoo.org/glsa/202003-45
PyYAML: Arbitrary code execution (GLSA 202003-45) — Gentoo securityThird Party Advisory
Jump to