CVE-2017-16616
published 2017-11-08CVE-2017-16616: An exploitable vulnerability exists in the YAML parsing functionality in the YAMLParser method in Interfaces.py in PyAnyAPI before 0.6.1. A YAML parser can…
PriorityP259critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
3.59%
88.0th percentile
An exploitable vulnerability exists in the YAML parsing functionality in the YAMLParser method in Interfaces.py in PyAnyAPI before 0.6.1. A YAML parser can execute arbitrary Python commands resulting in command execution because load is used where safe_load should have been used. An attacker can insert Python into loaded YAML to trigger this vulnerability.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pyanyapi_project | pyanyapi | < 0.6.1 | 0.6.1 |
| pyanyapi_project | pyanyapi | >= 0 < 0.6.1 | 0.6.1 |
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Unsafe pyyaml load usage in PyAnyAPI
ghsa·2022-05-13
CVE-2017-16616 [CRITICAL] CWE-502 Unsafe pyyaml load usage in PyAnyAPI
Unsafe pyyaml load usage in PyAnyAPI
An exploitable vulnerability exists in the YAML parsing functionality in the YAMLParser method in Interfaces.py in PyAnyAPI before 0.6.1. A YAML parser can execute arbitrary Python commands resulting in command execution because `load` is used where `safe_load` should have been used. An attacker can insert Python into loaded YAML to trigger this vulnerability.
OSV
Unsafe pyyaml load usage in PyAnyAPI
osv·2022-05-13
CVE-2017-16616 [CRITICAL] Unsafe pyyaml load usage in PyAnyAPI
Unsafe pyyaml load usage in PyAnyAPI
An exploitable vulnerability exists in the YAML parsing functionality in the YAMLParser method in Interfaces.py in PyAnyAPI before 0.6.1. A YAML parser can execute arbitrary Python commands resulting in command execution because `load` is used where `safe_load` should have been used. An attacker can insert Python into loaded YAML to trigger this vulnerability.
OSV
CVE-2017-16616: An exploitable vulnerability exists in the YAML parsing functionality in the YAMLParser method in Interfaces
osv·2017-11-08
CVE-2017-16616 CVE-2017-16616: An exploitable vulnerability exists in the YAML parsing functionality in the YAMLParser method in Interfaces
An exploitable vulnerability exists in the YAML parsing functionality in the YAMLParser method in Interfaces.py in PyAnyAPI before 0.6.1. A YAML parser can execute arbitrary Python commands resulting in command execution because load is used where safe_load should have been used. An attacker can insert Python into loaded YAML to trigger this vulnerability.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/Stranger6667/pyanyapi/issues/41https://github.com/Stranger6667/pyanyapi/releases/tag/0.6.1https://joel-malwarebenchmark.github.io/blog/2017/11/08/cve-2017-16616-yamlparser-in-pyanyapi/https://pypi.python.org/pypi/pyanyapi/0.6.1https://github.com/Stranger6667/pyanyapi/issues/41https://github.com/Stranger6667/pyanyapi/releases/tag/0.6.1https://joel-malwarebenchmark.github.io/blog/2017/11/08/cve-2017-16616-yamlparser-in-pyanyapi/https://pypi.python.org/pypi/pyanyapi/0.6.1
2017-11-08
Published