Описание
In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.
Отчет
The default loading mechanism in PyYAML contains fundamental and long-standing functionality that allows for arbitrary code execution. The yaml.load() function (when called without a specified loader), has been documented as inherently unsafe since its first release. When processing YAML input, this function can call any Python function, including those that execute system commands (i.e., os.system()). In response, the PyYAML maintainers have deprecated the plain use of yaml.load() to encourage developers to explicitly choose a safer option. The yaml.safe_load() function is the intended replacement. It handles a safe subset of the YAML language and disables the dangerous features that permit arbitrary code execution, effectively neutralizing the RCE threat from untrusted input. However, to maintain backwards compatibility the yaml.load() function remains available. Its default behavior (as of PyYAML 5.1) was to use FullLoader and issue a warning. FullLoader was deemed not safe for untrusted data, and as of PyYAML 6.0 yaml.load() requires an explicit Loader argument. The original vulnerable loader is also retained (again, in the interest of backwards compatibility) which provides the attack vector. The code executed via PyYAML runs as the user invoking the python binary calling the pyyaml module– there is no inherent privilege escalation. Therefore any exploit affecting any substantial impact requires privilege escalation via a separate vulnerability or poor application design and/or poor coding practices. Given that the vulnerability in PyYAML’s load function provides a mechanism for threat actors to potentially impact a system via a wide range of Python functions, Red Hat must err on the side of caution and view the possible impact to Confidentiality, Integrity, and Availability as High.
Меры по смягчению последствий
Any codebases written in Python and employing the PyYAML library should be audited. Developers should replace every instance of the deprecated yaml.load() function with the secure alternative, yaml.safe_load(), especially when handling configuration or data from untrusted sources. Any applications invoking python where PyYAML is available should run as a non-privileged user.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ceph Storage 1.3 | PyYAML | Will not fix | ||
| Red Hat Enterprise Linux 6 | PyYAML | Will not fix | ||
| Red Hat Enterprise Linux 7 | PyYAML | Will not fix | ||
| Red Hat Enterprise Linux 8 | PyYAML | Will not fix | ||
| Red Hat Enterprise Linux OpenStack Platform 7 (Kilo) | PyYAML | Will not fix | ||
| Red Hat Enterprise MRG 2 | PyYAML | Will not fix | ||
| Red Hat OpenStack Platform 10 (Newton) | PyYAML | Will not fix | ||
| Red Hat OpenStack Platform 12 (Pike) | PyYAML | Will not fix | ||
| Red Hat OpenStack Platform 13 (Queens) | PyYAML | Will not fix | ||
| Red Hat OpenStack Platform 15 (Stein) | PyYAML | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
9.8 Critical
CVSS3
Связанные уязвимости
In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.
In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.
In PyYAML before 5.1, the yaml.load() API could execute arbitrary code ...
PyYAML insecurely deserializes YAML strings leading to arbitrary code execution
Уязвимость компонента yaml.load() библиотеки парсинга YAML для Python PyYAML, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
EPSS
9.8 Critical
CVSS3