CVE-2017-18342

In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.

Published: Jun 27, 2018
Updated: Nov 8, 2023
CVE: CVE-2017-18342
GHSA: GHSA-rprw-h62v-c2w7
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-502

OWASP TOP 10:

A8 - Insecure Deserialization

Affected Software
References

Software	From	Fixed in
pyyaml / pyyaml	-	5.1
fedoraproject / fedora	28	28.x
fedoraproject / fedora	29	29.x
fedoraproject / fedora	30	30.x
PyYAML	-	4.1

https://github.com/marshmallow-code/apispec/issues/278
https://github.com/yaml/pyyaml/blob/master/CHANGES
https://github.com/yaml/pyyaml/issues/193
https://github.com/yaml/pyyaml/pull/74
https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load%28input%29-Deprecation
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/
https://security.gentoo.org/glsa/202003-45

Vulnerability Database

CVE-2017-18342