DEBIAN-CVE-2018-17175
- Source
- https://security-tracker.debian.org/tracker/DEBIAN-CVE-2018-17175
- Import Source
- https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2018-17175.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2018-17175
- Upstream
- Published
- 2018-09-18T17:29:01Z
- Modified
- 2025-09-19T06:22:21Z
- Summary
- [none]
- Details
-
In the marshmallow library before 2.15.1 and 3.x before 3.0.0b9 for Python, the schema "only" option treats an empty list as implying no "only" option, which allows a request that was intended to expose no fields to instead expose all fields (if the schema is being filtered dynamically using the "only" option, and there is a user role that produces an empty value for "only").
- References
Affected packages
Debian:11 / python-marshmallow
Package
- Name
- python-marshmallow
- Purl
- pkg:deb/debian/python-marshmallow?arch=source
Debian:12 / python-marshmallow
Package
- Name
- python-marshmallow
- Purl
- pkg:deb/debian/python-marshmallow?arch=source
Debian:13 / python-marshmallow
Package
- Name
- python-marshmallow
- Purl
- pkg:deb/debian/python-marshmallow?arch=source
Debian:14 / python-marshmallow
Package
- Name
- python-marshmallow
- Purl
- pkg:deb/debian/python-marshmallow?arch=source