Description
emitters.py in Django Piston before 0.2.3 and 0.2.x before 0.2.2.1 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method.
References (5)
Core 5
Core References
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=750658
Patch x_refsource_confirm
https://bitbucket.org/jespern/django-piston/commits/91bdaec89543/
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2011/dsa-2344
Vendor Advisory x_refsource_misc
https://www.djangoproject.com/weblog/2011/nov/01/piston-and-tastypie-security-releases/
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2011/11/01/10
Scores
EPSS
0.0082
EPSS Percentile
74.6%
Details
CWE
CWE-20
Status
published
Products (2)
djangoproject/piston
< 0.2.2.0
pypi/django-piston
0.2.0 - 0.2.2.1PyPI
Published
Oct 27, 2014
Tracked Since
Feb 18, 2026