PYSEC-2017-23

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/pyanyapi/PYSEC-2017-23.yaml

JSON Data

https://api.test.osv.dev/v1/vulns/PYSEC-2017-23

Aliases

Published

2017-11-08T03:29:00Z

Modified

2023-11-01T04:47:59.969330Z

Summary

[none]

Details

An exploitable vulnerability exists in the YAML parsing functionality in the YAMLParser method in Interfaces.py in PyAnyAPI before 0.6.1. A YAML parser can execute arbitrary Python commands resulting in command execution because load is used where safe_load should have been used. An attacker can insert Python into loaded YAML to trigger this vulnerability.

References

Affected packages

PyPI / pyanyapi

Package

Name: pyanyapi; View open source insights on deps.dev
Purl: pkg:pypi/pyanyapi

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.6.1

Affected versions

0.*

0.4

0.5

0.5.1

0.5.2

0.5.3

0.5.4

0.5.5

0.5.6

0.5.7

0.5.8

0.6.0