cbcvebase.
CVE-2020-1747
published 2020-03-24

CVE-2020-1747: A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
5.30%
91.6th percentile
A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.

Affected

26 ranges· showing 25
VendorProductVersion rangeFixed in
debianpyyaml< pyyaml 5.3-2 (bookworm)pyyaml 5.3-2 (bookworm)
debianpyyaml< pyyaml 5.3.1-4 (bookworm)pyyaml 5.3.1-4 (bookworm)
docling-projectdocling-core
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
msrccbl2_pyyaml_5.4.1-1_on_cbl_mariner_2.0
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
opensuseleap
oraclecommunications_cloud_native_core_network_function_cloud_native_environment
oraclecommunications_cloud_native_core_network_function_cloud_native_environment
pyyamlpyyaml>= 0 < 5.3.1-45.3.1-4
pyyamlpyyaml>= 0 < 5.3-25.3-2
pyyamlpyyaml>= 0 < 5.3.1-45.3.1-4
pyyamlpyyaml>= 0 < 5.3-25.3-2
pyyamlpyyaml>= 0 < 5.3.1-45.3.1-4
pyyamlpyyaml>= 0 < 5.3-25.3-2
pyyamlpyyaml>= 0 < 5.3.1-45.3.1-4
pyyamlpyyaml>= 0 < 5.3-25.3-2
pyyamlpyyaml>= 0 < 5.45.4
pyyamlpyyaml>= 5.1 < 5.45.4
pyyamlpyyaml>= 5.1 < 5.3.15.3.1
pyyamlpyyaml>= 5.1b7 < 5.3.15.3.1

Detection & IOCsextracted from sources · hover to see the quote

  • Arbitrary code execution is triggered via the `python/object/new` constructor in YAML payloads processed by PyYAML's FullLoader or full_load method — detect YAML input containing this constructor tag as a potential exploit attempt.
  • Vulnerable code path is specifically the `full_load` method or `FullLoader` loader in PyYAML versions before 5.3.1 — flag usage of these in applications processing untrusted input.
  • ·Red Hat Quay 3.2 uses the vulnerable `load` function but only to parse the Nginx configuration file containing trusted data — not exploitable in that context.
  • ·Ansible Tower 3.7 uses affected PyYAML 3.12 but specifies SafeLoader when calling load() — not exploitable in that configuration.
  • ·Red Hat Quay from version 3.4 onward uses safe_load and is not affected.
  • ·The fix in PyYAML 5.3.1 for CVE-2020-1747 was incomplete; full remediation requires upgrading to PyYAML 5.4 (tracked as CVE-2020-14343).

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_msrc9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.