CVE-2011-4103 – django-piston

Package

Manager: pip
Name: django-piston
Vulnerable Version: >=0.2.0 <0.2.2.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00821 pctl0.7354

Details

Django-piston and Django-tastypie do not properly deserialize YAML data emitters.py in Django Piston before 0.2.3 and 0.2.x before 0.2.2.1 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method. Django Tastypie has a very similar vulnerability.

Metadata

Created: 2018-07-23T19:50:48Z
Modified: 2024-09-16T23:00:29Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-pvhp-v9qp-xf5r/GHSA-pvhp-v9qp-xf5r.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-pvhp-v9qp-xf5r
Finding: F184
Auto approve: 1