CVE-2017-18342

CRITICAL

Pyyaml < 5.1 - Insecure Deserialization

Title source: rule

Description

In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.

References (9)

[Third Party Advisory] https://github.com/marshmallow-code/apispec/issues/278

[Release Notes, Third Party Advisory] https://github.com/yaml/pyyaml/blob/master/CHANGES

View Writeup ZIP pw:eip

[Third Party Advisory] https://github.com/yaml/pyyaml/issues/193

[Patch, Third Party Advisory] https://github.com/yaml/pyyaml/pull/74

[Third Party Advisory] https://security.gentoo.org/glsa/202003-45

[Third Party Advisory] https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load%28input%29-Deprecation

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/

Scores

CVSS v3 9.8

EPSS 0.0447

EPSS Percentile 88.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (5)

pyyaml/pyyaml < 5.1

fedoraproject/fedora

pypi/PyYAML < 4.1PyPI

Timeline

Published Jun 27, 2018

Tracked Since Feb 18, 2026