Vulnerability Details : CVE-2018-17175
In the marshmallow library before 2.15.1 and 3.x before 3.0.0b9 for Python, the schema "only" option treats an empty list as implying no "only" option, which allows a request that was intended to expose no fields to instead expose all fields (if the schema is being filtered dynamically using the "only" option, and there is a user role that produces an empty value for "only").
Products affected by CVE-2018-17175
- cpe:2.3:a:marshmallow_project:marshmallow:*:*:*:*:*:*:*:*
- Marshmallow Project » Marshmallow » For PythonVersions from including (>=) 3.0 and before (<) 3.0.0b9cpe:2.3:a:marshmallow_project:marshmallow:*:*:*:*:*:python:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-17175
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 14 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-17175
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
|
5.3
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
NIST |
References for CVE-2018-17175
-
https://github.com/marshmallow-code/marshmallow/issues/772
Empty Only Treated as None · Issue #772 · marshmallow-code/marshmallow · GitHubIssue Tracking;Third Party Advisory
-
https://github.com/marshmallow-code/marshmallow/pull/782
Fix #772 Empty Only Treated as None / 2.x-line by lafrech · Pull Request #782 · marshmallow-code/marshmallow · GitHubThird Party Advisory
-
https://github.com/marshmallow-code/marshmallow/pull/777
Fix #772 Empty Only Treated as None by lafrech · Pull Request #777 · marshmallow-code/marshmallow · GitHubThird Party Advisory
Jump to