CVE-2011-4104
Django Tastypie < 0.9.10 - Remote Code Execution via YAML Deserialization
Title source: llmDescription
The from_yaml method in serializers.py in Django Tastypie before 0.9.10 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method.
References (5)
Core 5
Core References
Mailing List x_refsource_confirm
https://groups.google.com/forum/#%21topic/django-tastypie/i2aNGDHTUBI
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2011/11/02/7
Vendor Advisory x_refsource_misc
https://www.djangoproject.com/weblog/2011/nov/01/piston-and-tastypie-security-releases/
Patch x_refsource_confirm
https://github.com/toastdriven/django-tastypie/commit/e8af315211b07c8f48f32a063233cc3f76dd5bc2
Patch mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2011/11/02/1
Scores
EPSS
0.0241
EPSS Percentile
82.1%
Details
CWE
CWE-20
Status
published
Products (2)
djangoproject/tastypie
< 0.9.9
pypi/django-tastypie
0 - 0.9.10PyPI
Published
Oct 27, 2014
Tracked Since
Feb 18, 2026