CVSS: 10.0EPSS: 13%CPEs: 3EXPL: 1CVE-2020-14343 – PyYAML: incomplete fix for CVE-2020-1747
https://notcve.org/view.php?id=CVE-2020-14343
09 Feb 2021 — A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747. Se detectó una vuln... • https://github.com/j4k0m/loader-CVE-2020-14343 • CWE-20: Improper Input Validation •
CVSS: 10.0EPSS: 2%CPEs: 7EXPL: 0CVE-2020-1747 – PyYAML: arbitrary command execution through python/object/new when FullLoader is used
https://notcve.org/view.php?id=CVE-2020-1747
24 Mar 2020 — A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor. Se descubrió una vulnerabilidad en la biblioteca PyYAML versiones anter... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 1CVE-2019-20477 – PyYAML: command execution through python/object/apply constructor in FullLoader
https://notcve.org/view.php?id=CVE-2019-20477
19 Feb 2020 — PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342. PyYAML versiones 5.1 hasta 5.1.2, presenta restricciones insuficientes en las funciones load y load_all debido a un problema de deserialización de clase, por ejemplo, Popen es una clase en el módulo subprocess. NOTA: este problema se presenta debido a una co... • https://github.com/yaml/pyyaml/blob/master/CHANGES • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 4%CPEs: 4EXPL: 0CVE-2017-18342 – Gentoo Linux Security Advisory 202003-45
https://notcve.org/view.php?id=CVE-2017-18342
27 Jun 2018 — In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function. En PyYAML en versiones anteriores a 5.1, la API yaml.load () podría ejecutar código arbitrario si se usara con datos no confiables. La función load () ha quedado en desuso en la versión 5.1 y se ha introducido el "UnsafeLoader" para una compatibilidad hacia atrás con ... • https://github.com/marshmallow-code/apispec/issues/278 • CWE-502: Deserialization of Untrusted Data •
CVSS: 5.3EPSS: 60%CPEs: 2EXPL: 3CVE-2014-9130 – libyaml: assert failure when processing wrapped strings
https://notcve.org/view.php?id=CVE-2014-9130
08 Dec 2014 — scanner.c in LibYAML 0.1.5 and 0.1.6, as used in the YAML-LibYAML (aka YAML-XS) module for Perl, allows context-dependent attackers to cause a denial of service (assertion failure and crash) via vectors involving line-wrapping. scanner.c en LibYAML 0.1.5 y 0.1.6, utilizado en el módulo YAML-LibYAML (también conocido como YAML-XS) para Perl, permite a atacantes dependientes de contexto causar una denegación de servicio (fallo de aserción y caída) a través de vectores que involucran la envoltura de líneas (li... • http://advisories.mageia.org/MGASA-2014-0508.html • CWE-20: Improper Input Validation CWE-617: Reachable Assertion •
CVSS: 9.8EPSS: 35%CPEs: 9EXPL: 1CVE-2014-2525 – libyaml: heap-based buffer overflow when parsing URLs
https://notcve.org/view.php?id=CVE-2014-2525
26 Mar 2014 — Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in LibYAML before 0.1.6 allows context-dependent attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file. Desbordamiento de buffer basado en memoria dinámica en la función yaml_parser_scan_uri_escapes en LibYAML anterior a 0.1.6 permite a atacantes dependientes de contexto ejecutar código arbitrario a través de una secuencia larga de caracteres codificados de porcentaje en una URI en... • http://advisories.mageia.org/MGASA-2014-0150.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow •
CVSS: 8.6EPSS: 8%CPEs: 16EXPL: 0CVE-2013-6393 – libyaml: heap-based buffer overflow when parsing YAML tags
https://notcve.org/view.php?id=CVE-2013-6393
01 Feb 2014 — The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0.1.5 performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted tags in a YAML document, which triggers a heap-based buffer overflow. La función yaml_parser_scan_tag_uri en scanner.c en LibYAML anterior a 0.1.5 lleva a cabo un "cast" incorrecto, lo que permite a atacantes remotos causar una denegación de servicio (caída de la aplicación) y prob... • http://advisories.mageia.org/MGASA-2014-0040.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow •