CVSS: 10.0EPSS: 15%CPEs: 3EXPL: 1CVE-2020-14343 – PyYAML: incomplete fix for CVE-2020-1747
https://notcve.org/view.php?id=CVE-2020-14343
09 Feb 2021 — A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747. Se detectó una vuln... • https://github.com/j4k0m/loader-CVE-2020-14343 • CWE-20: Improper Input Validation •
CVSS: 10.0EPSS: 2%CPEs: 7EXPL: 0CVE-2020-1747 – PyYAML: arbitrary command execution through python/object/new when FullLoader is used
https://notcve.org/view.php?id=CVE-2020-1747
24 Mar 2020 — A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor. Se descubrió una vulnerabilidad en la biblioteca PyYAML versiones anter... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 1CVE-2019-20477 – PyYAML: command execution through python/object/apply constructor in FullLoader
https://notcve.org/view.php?id=CVE-2019-20477
19 Feb 2020 — PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342. PyYAML versiones 5.1 hasta 5.1.2, presenta restricciones insuficientes en las funciones load y load_all debido a un problema de deserialización de clase, por ejemplo, Popen es una clase en el módulo subprocess. NOTA: este problema se presenta debido a una co... • https://github.com/yaml/pyyaml/blob/master/CHANGES • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 4%CPEs: 4EXPL: 0CVE-2017-18342 – Gentoo Linux Security Advisory 202003-45
https://notcve.org/view.php?id=CVE-2017-18342
27 Jun 2018 — In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function. En PyYAML en versiones anteriores a 5.1, la API yaml.load () podría ejecutar código arbitrario si se usara con datos no confiables. La función load () ha quedado en desuso en la versión 5.1 y se ha introducido el "UnsafeLoader" para una compatibilidad hacia atrás con ... • https://github.com/marshmallow-code/apispec/issues/278 • CWE-502: Deserialization of Untrusted Data •