Information Exposure Affecting marshmallow package, versions [,2.15.1) [3.0.0a1,3.0.0b9)
Snyk CVSS
Attack Complexity
Low
Threat Intelligence
EPSS
0.09% (38th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-MARSHMALLOW-72559
- published 4 Nov 2018
- disclosed 19 Apr 2018
- credit Unknown
Introduced: 19 Apr 2018
CVE-2018-17175 Open this link in a new tabHow to fix?
Upgrade marshmallow
to version 2.15.1, 3.0.0b9
Overview
marshmallow is an ORM/ODM/framework-agnostic library for converting complex datatypes, such as objects, to and from native Python datatypes.
Affected versions of this package are vulnerable to Information Exposure. The schema only
option treats an empty list as implying no only
option, which allows a request that was intended to expose no fields to instead expose all fields.