CVE-2011-4104 – django-tastypie

Package

Manager: pip
Name: django-tastypie
Vulnerable Version: >=0 <0.9.10

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00821 pctl0.73533

Details

Django Tastypie Improper Deserialization of YAML Data The `from_yaml` method in serializers.py in Django Tastypie before 0.9.10 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method.

Metadata

Created: 2022-05-14T03:08:09Z
Modified: 2024-09-16T22:12:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qgvw-qc2q-gv5q/GHSA-qgvw-qc2q-gv5q.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-qgvw-qc2q-gv5q
Finding: F096
Auto approve: 1