Description
A flaw was found in the yaml.load() function in the osbs-client versions since 0.46 before 0.56.1. Insecure use of the yaml.load() function allowed the user to load any suspicious object for code execution via the parsing of malicious YAML files.
References (2)
Core 2
Core References
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10135
Patch, Third Party Advisory
https://github.com/containerbuildsystem/osbs-client/pull/865
Scores
CVSS v3
7.2
EPSS
0.0189
EPSS Percentile
76.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-502
Status
published
Products (1)
osbs-client_project/osbs-client
0.46 - 0.56.1
Published
Jul 11, 2019
Tracked Since
Feb 18, 2026