CVE-2017-18342

Published: 6/27/2018 Last updated: 8/5/2024 Reserved: 6/27/2018

In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.

CNA assigner: mitre (8254265b-2729-46b6-b9e3-3dfca2d5bfca) Requested by: n/a

Opam packages affected (1)

conf-python3-yaml

Products affected (1)

Product	Vendor	Version
n/a	n/a	10 Version 1809 for x64-based Systems

References (18)

https://github.com/yaml/pyyaml/pull/74
https://github.com/yaml/pyyaml/blob/master/CHANGES
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/
https://github.com/marshmallow-code/apispec/issues/278
https://github.com/yaml/pyyaml/issues/193
https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
https://security.gentoo.org/glsa/202003-45
https://github.com/yaml/pyyaml/pull/74
https://github.com/yaml/pyyaml/blob/master/CHANGES
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/
https://github.com/marshmallow-code/apispec/issues/278
https://github.com/yaml/pyyaml/issues/193
https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
https://security.gentoo.org/glsa/202003-45