CVE-2019-10135

HIGH

osbs-client <0.56.1 - Code Injection

Title source: llm

Description

A flaw was found in the yaml.load() function in the osbs-client versions since 0.46 before 0.56.1. Insecure use of the yaml.load() function allowed the user to load any suspicious object for code execution via the parsing of malicious YAML files.

References (2)

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10135

[Patch, Third Party Advisory] https://github.com/containerbuildsystem/osbs-client/pull/865

Scores

CVSS v3 7.2

EPSS 0.0073

EPSS Percentile 72.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (1)

osbs-client_project/osbs-client < 0.56.1

Timeline

Published Jul 11, 2019

Tracked Since Feb 18, 2026