GHSA-rprw-h62v-c2w7

Suggest an improvement
Source
https://github.com/advisories/GHSA-rprw-h62v-c2w7
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-rprw-h62v-c2w7/GHSA-rprw-h62v-c2w7.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-rprw-h62v-c2w7
Aliases
Published
2019-01-04T17:45:26Z
Modified
2024-10-16T21:08:11.346917Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
PyYAML insecurely deserializes YAML strings leading to arbitrary code execution
Details

In PyYAML before 4.1, the yaml.load() API could execute arbitrary code. In other words, yaml.safe_load is not used.

References

Affected packages

PyPI / pyyaml

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.1

Affected versions

3.*

3.01
3.02
3.03
3.04
3.05
3.06
3.07
3.08
3.09
3.10
3.11
3.12
3.13b1
3.13rc1
3.13