CVE-2020-1747

A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.

Published: Mar 24, 2020
Updated: Nov 8, 2023
CVE: CVE-2020-1747
GHSA: GHSA-6757-jp84-gxfx
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 10
AV:N/AC:L/Au:N/C:C/I:C/A:C

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
pyyaml / pyyaml	5.1	5.3.1
fedoraproject / fedora	30	30.x
fedoraproject / fedora	31	31.x
fedoraproject / fedora	32	32.x
fedoraproject / fedora	33	33.x
opensuse / leap	15.1	15.1.x
oracle / communications_cloud_native_core_network_function_cloud_native_environment	22.1.0	22.1.0.x
PyYAML	-	5.3.1

Vulnerability Database

CVE-2020-1747