Arbitrary Code Execution

Affecting pyyaml package, versions [,4.2b1)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

pyyaml is a YAML parser and emitter for Python.

Affected versions of this package are vulnerable to Arbitrary Code Execution due to using the insecure yaml.load() function.

Remediation

Upgrade pyyaml to version 4.2b1 or higher.

References

CVSS Score

9.8
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Credit
Unknown
CVE
CVE-2017-18342
CWE
CWE-94
Snyk ID
SNYK-PYTHON-PYYAML-42159
Disclosed
26 Aug, 2017
Published
28 Jun, 2018