Homepage
About Snyk

Information Exposure Affecting marshmallow package, versions [,2.15.1) [3.0.0a1,3.0.0b9)

0.0
medium

Snyk CVSS

    Attack Complexity Low

    Threat Intelligence

    EPSS 0.09% (38th percentile)
Expand this section
NVD
5.3 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-MARSHMALLOW-72559
  • published 4 Nov 2018
  • disclosed 19 Apr 2018
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 19 Apr 2018

CVE-2018-17175 Open this link in a new tab
CWE-200 Open this link in a new tab

How to fix?

Upgrade marshmallow to version 2.15.1, 3.0.0b9

Overview

marshmallow is an ORM/ODM/framework-agnostic library for converting complex datatypes, such as objects, to and from native Python datatypes.

Affected versions of this package are vulnerable to Information Exposure. The schema only option treats an empty list as implying no only option, which allows a request that was intended to expose no fields to instead expose all fields.