Описание
In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| pyyaml | fixed | 5.1.2-1 | package |
Примечания
This is a well-known design deficiency in pyyaml, various CVE IDs have been assigned
to applications misusing the API over the years. The CVE ID was assigned to raise
awareness (and 5.1 now fixes the default behaviour as well)
https://github.com/yaml/pyyaml/pull/74
Связанные уязвимости
In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.
In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.
In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.
PyYAML insecurely deserializes YAML strings leading to arbitrary code execution
Уязвимость компонента yaml.load() библиотеки парсинга YAML для Python PyYAML, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании