CVE-2018-17175 – marshmallow

Package

Manager: pip
Name: marshmallow
Vulnerable Version: >=0 <2.15.1 || >=3.0a0 <3.0.0b9

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00255 pctl0.48697

Details

In marshmallow library the schema "only" option treats an empty list as implying no "only" option In the marshmallow library before 2.15.1 and 3.x before 3.0.0b9 for Python, the schema "only" option treats an empty list as implying no "only" option, which allows a request that was intended to expose no fields to instead expose all fields (if the schema is being filtered dynamically using the "only" option, and there is a user role that produces an empty value for "only").

Metadata

Created: 2018-10-10T16:10:46Z
Modified: 2024-09-24T20:09:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-9q2p-fj49-vpxj/GHSA-9q2p-fj49-vpxj.json
CWE IDs: ["CWE-358"]
Alternative ID: GHSA-9q2p-fj49-vpxj
Finding: F096
Auto approve: 1