CVE-2019-20477 — Deserialization of Untrusted Data in Pyyaml

CWE-502 — Deserialization of Untrusted Data10 documents6 sources

Severity

9.8CRITICALNVD

EPSS

0.5%

top 35.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pyyaml Debian Pyyaml Fedoraproject Fedora

Timeline

PublishedFeb 19

Latest updateApr 20

Description

PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶PyPIpyyaml/pyyaml5.1 — 5.2

▶debiandebian/pyyaml< pyyaml 5.2-1 (bookworm)

▶Debianpyyaml/pyyaml< 5.2-1+3

▶NVDpyyaml/pyyaml5.1 — 5.1.2

Also affects: Fedora 30, 31

🔴Vulnerability Details

GHSA

Deserialization of Untrusted Data in PyYAML↗2021-04-20

▶

OSV

Deserialization of Untrusted Data in PyYAML↗2021-04-20

▶

OSV

CVE-2019-20477: PyYAML 5↗2020-02-19

▶

📋Vendor Advisories

Red Hat

PyYAML: command execution through python/object/apply constructor in FullLoader↗2019-11-18

▶

Debian

CVE-2019-20477: pyyaml - PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all ...↗2019

▶

💬Community

Bugzilla

CVE-2019-20477 PyYAML: command execution through python/object/apply constructor in FullLoader [fedora-all]↗2020-02-21

▶

Bugzilla

CVE-2019-20477 python3-PyYAML: PyYAML: insufficient restrictions on the load and load_all functions [epel-all]↗2020-02-21

▶

Bugzilla

CVE-2019-20477 python2-pyyaml: PyYAML: insufficient restrictions on the load and load_all functions [epel-all]↗2020-02-21

▶

Bugzilla

CVE-2019-20477 PyYAML: command execution through python/object/apply constructor in FullLoader↗2020-02-21

▶