Fluid Attacks Database

Description

Deserialization of Untrusted Data in PyYAML PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	pyyaml	>=5.1 <5.2	5.2
debian 14	pyyaml	>=0 <5.2-1	5.2-1
debian 12	pyyaml	>=0 <5.2-1	5.2-1
debian 13	pyyaml	>=0 <5.2-1	5.2-1
debian 11	pyyaml	>=0 <5.2-1	5.2-1
rpm rhel8	python38	<0:3.8.3-3.module+el8.3.0+7680+79e7e61a	0:3.8.3-3.module+el8.3.0+7680+79e7e61a
rpm rhel6	PyYAML	-	-

Aliases

1. CVE-2019-204772. NVD-2019-204773. OSV-2019-204774. OSV-DEBIAN-2019-204775. GHSA-3pqx-4fqf-j49f6. GCVE-2019-204777. SECURITY-TRACKER-CVE-2019-20477

References

1. https://github.com/pypa/advisory-database/tree/main/vulns/pyyaml/PYSEC-2020-176.yaml2. https://github.com/yaml/pyyaml/blob/master/CHANGES3. https://lists.fedoraproject.org/archives/list/[email protected]/message/33VBUY73AA6CTTYL3LRWHNFDULV7PFPN4. https://lists.fedoraproject.org/archives/list/[email protected]/message/52N5XS73Z5S4ZN7I7R56ICCPCTKCUV4H5. https://www.exploit-db.com/download/47655

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.