PYSEC-2018-67
See a problem?- Import Source
- https://github.com/pypa/advisory-database/blob/main/vulns/marshmallow/PYSEC-2018-67.yaml
- JSON Data
- https://api.test.osv.dev/v1/vulns/PYSEC-2018-67
- Aliases
- Published
- 2018-09-18T17:29:00Z
- Modified
- 2023-11-01T04:49:09.661702Z
- Summary
- [none]
- Details
-
In the marshmallow library before 2.15.1 and 3.x before 3.0.0b9 for Python, the schema "only" option treats an empty list as implying no "only" option, which allows a request that was intended to expose no fields to instead expose all fields (if the schema is being filtered dynamically using the "only" option, and there is a user role that produces an empty value for "only").
- References
Affected packages
PyPI / marshmallow
Package
- Name
- marshmallow
- View open source insights on deps.dev
- Purl
- pkg:pypi/marshmallow
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.15.1Introduced3.0a0Fixed3.0.0b9
Affected versions
0.*
0.1.0
0.2.0
0.2.1
0.3.0
0.3.1
0.4.0
0.4.1
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.6.0
0.7.0
1.*
1.0.0-a
1.0.0
1.0.1
1.1.0
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
2.*
2.0.0a1
2.0.0b1
2.0.0b2
2.0.0b3
2.0.0b4
2.0.0b5
2.0.0rc1
2.0.0rc2
2.0.0
2.1.0
2.1.1
2.1.2
2.1.3
2.2.0
2.2.1
2.3.0
2.4.0
2.4.1
2.4.2
2.5.0
2.6.0
2.6.1
2.7.0
2.7.1
2.7.2
2.7.3
2.8.0
2.9.0
2.9.1
2.10.0
2.10.1
2.10.2
2.10.3
2.10.4
2.10.5
2.11.0
2.11.1
2.12.0
2.12.1
2.12.2
2.13.0
2.13.1
2.13.2
2.13.3
2.13.4
2.13.5
2.13.6
2.14.0
2.15.0
3.*
3.0.0a1
3.0.0b1
3.0.0b2
3.0.0b3
3.0.0b4
3.0.0b5
3.0.0b6
3.0.0b7
3.0.0b8