Описание
In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.
Отчет
PyYAML in channels for Red Hat MRG Messaging 2 should no longer be used, as a newer version is now available in Red Hat Enterprise Linux. Newer packages should be consumed from Red Hat Enterprise Linux channels. This issue affects the versions of the PyYAML package as shipped with Red Hat Satellite 5. However, this flaw is not known to be exploitable under any supported scenario in Satellite 5. A future update may address this issue. The PyYAML libary that is provided in the Red Hat OpenStack repositories is vulnerable. However, there are no instances where this library is used in a way which exposes the vulnerability. Any updates will be through the RHEL channels.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ceph Storage 1.3 | PyYAML | Will not fix | ||
| Red Hat Enterprise Linux 6 | PyYAML | Will not fix | ||
| Red Hat Enterprise Linux 7 | PyYAML | Will not fix | ||
| Red Hat Enterprise Linux 8 | PyYAML | Will not fix | ||
| Red Hat Enterprise Linux OpenStack Platform 7 (Kilo) | PyYAML | Will not fix | ||
| Red Hat Enterprise MRG 2 | PyYAML | Will not fix | ||
| Red Hat OpenStack Platform 10 (Newton) | PyYAML | Will not fix | ||
| Red Hat OpenStack Platform 12 (Pike) | PyYAML | Will not fix | ||
| Red Hat OpenStack Platform 13 (Queens) | PyYAML | Will not fix | ||
| Red Hat OpenStack Platform 15 (Stein) | PyYAML | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
8.1 High
CVSS3
Связанные уязвимости
In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.
In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.
In PyYAML before 5.1, the yaml.load() API could execute arbitrary code ...
PyYAML insecurely deserializes YAML strings leading to arbitrary code execution
Уязвимость компонента yaml.load() библиотеки парсинга YAML для Python PyYAML, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
EPSS
8.1 High
CVSS3