CVE-2017-18342
CRITICALPyYAML < 5.1 - Remote Code Execution via yaml.load()
Title source: llmDescription
In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.
References (9)
Core 9
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/yaml/pyyaml/pull/74
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/yaml/pyyaml/blob/master/CHANGES
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/
Third Party Advisory x_refsource_misc
https://github.com/marshmallow-code/apispec/issues/278
Third Party Advisory x_refsource_misc
https://github.com/yaml/pyyaml/issues/193
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202003-45
Third Party Advisory x_refsource_misc
https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load%28input%29-Deprecation
Scores
CVSS v3
9.8
EPSS
0.0603
EPSS Percentile
92.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-502
Status
published
Products (5)
fedoraproject/fedora
28
fedoraproject/fedora
29
fedoraproject/fedora
30
pypi/PyYAML
0 - 4.1PyPI
pyyaml/pyyaml
< 5.1
Published
Jun 27, 2018
Tracked Since
Feb 18, 2026