CVE-2017-18342Deserialization of Untrusted Data in Pyyaml

CWE-502Deserialization of Untrusted DataCWE-20Improper Input Validation16 documents8 sources
Severity
9.8CRITICALNVD
EPSS
4.5%
top 10.89%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
PyyamlFedoraproject FedoraPaloalto Pan-os
Timeline
PublishedJun 27
Latest updateFeb 14

Description

In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

NVDpyyaml/pyyaml< 5.1
PyPIpyyaml/pyyaml5.15.2b1+1
Debianpyyaml/pyyaml< 5.1.2-1+3
Palo Altopaloalto/pan-os

Also affects: Fedora 28, 29, 30

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

6
GHSA
Deserialization of Untrusted Data in PyYAML2021-04-20
OSV
CVE-2017-18342: PyYAML 52020-02-19
OSV
PyYAML insecurely deserializes YAML strings leading to arbitrary code execution2019-01-04
GHSA
PyYAML insecurely deserializes YAML strings leading to arbitrary code execution2019-01-04
CVEList
CVE-2017-18342: In PyYAML before 52018-06-27

📋Vendor Advisories

4
Palo Alto
PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS2024-02-14
Red Hat
PyYAML: command execution through python/object/apply constructor in FullLoader2019-11-18
Red Hat
PyYAML: yaml.load() API could execute arbitrary code2018-06-27
Debian
CVE-2017-18342: pyyaml - In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used w...2017

💬Community

5
Bugzilla
CVE-2019-20477 PyYAML: command execution through python/object/apply constructor in FullLoader2020-02-21
Bugzilla
CVE-2017-18342 python3-PyYAML: PyYAML: yaml.load() API could execute arbitrary code [epel-all]2018-06-27
Bugzilla
CVE-2017-18342 python2-pyyaml: PyYAML: yaml.load() API could execute arbitrary code [epel-all]2018-06-27
Bugzilla
CVE-2017-18342 PyYAML: yaml.load() API could execute arbitrary code [fedora-all]2018-06-27
Bugzilla
CVE-2017-18342 PyYAML: yaml.load() API could execute arbitrary code2018-06-27
CVE-2017-18342 — Deserialization of Untrusted Data | cvebase