CVE-2017-18342
CRITICAL9.8EPSS 4.8%PyYAML insecurely deserializes YAML strings leading to arbitrary code execution
發布日:2019/1/4修改日:2026/4/28
也稱為:DEBIAN-CVE-2017-18342
描述
In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.
受影響套件(3)
- Debian/pyyamlfrom 0, < 5.1.2-1
- PyPI/pyyamlfrom 0, < 4.1
- PyPI/pyyamlfrom 0, < 5.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
參考連結(18)
- ADVISORYhttps://github.com/advisories/GHSA-rprw-h62v-c2w7
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-18342
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2017-18342
- PATCHhttps://github.com/yaml/pyyaml
- WEBhttps://github.com/marshmallow-code/apispec/issues/278
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/pyyaml/PYSEC-2018-49.yaml
- WEBhttps://github.com/yaml/pyyaml/blob/master/CHANGES
- WEBhttps://github.com/yaml/pyyaml/commit/7b68405c81db889f83c32846462b238ccae5be80
- WEBhttps://github.com/yaml/pyyaml/issues/193
- WEBhttps://github.com/yaml/pyyaml/pull/74
- WEBhttps://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/
- WEBhttps://security.gentoo.org/glsa/202003-45