CVE-2020-1747

Published: Mar 24, 2020Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.

Affected (7)

Products: Pyyaml: Pyyaml · Fedoraproject: Fedora · Opensuse: Leap · +1 more

Show all products

Pyyaml: Pyyaml · Fedoraproject: Fedora · Opensuse: Leap · Oracle: Communications Cloud Native Core Network Function Cloud Native Environment

1 product

1 product

1 product

1 product

Communications Cloud Native Core Network Function Cloud Native Environment

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Pyyaml Pyyaml	From 5.1 to 5.3.1

Configuration B

4 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 30
Fedoraproject Fedora	Version 31
Fedoraproject Fedora	Version 32
Fedoraproject Fedora	Version 33

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Opensuse Leap	Version 15.1

Configuration D

1 vulnerable

Vulnerable Software	Affected Versions
Oracle Communications Cloud Native Core Network Function Cloud Native Environment	Version 22.1.0

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (20)

http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html

Source: secalert@redhat.com

Mailing ListThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html

Source: secalert@redhat.com

Mailing ListThird Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747

Source: secalert@redhat.com

Issue TrackingPatchThird Party Advisory

https://github.com/yaml/pyyaml/pull/386

Source: secalert@redhat.com

PatchThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7PPAS6C4SZRDQLR7C22A5U3QOLXY33JX/

Source: secalert@redhat.com

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/

Source: secalert@redhat.com

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MMQXSZXNJT6ERABJZAAICI3DQSQLCP3D/

Source: secalert@redhat.com

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/

Source: secalert@redhat.com

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/

Source: secalert@redhat.com

https://www.oracle.com/security-alerts/cpujul2022.html

Source: secalert@redhat.com

PatchThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchThird Party Advisory

https://github.com/yaml/pyyaml/pull/386

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7PPAS6C4SZRDQLR7C22A5U3QOLXY33JX/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MMQXSZXNJT6ERABJZAAICI3DQSQLCP3D/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.oracle.com/security-alerts/cpujul2022.html

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.