QwikSec

Security Database

CVE

CWE

Training

CVE-2017-16615

Published: Nov 8, 2017

Modified: Aug 5, 2024

PUBLISHED

Description

An exploitable vulnerability exists in the YAML parsing functionality in the parse_yaml_query method in parser.py in MLAlchemy before 0.2.2. When processing YAML-Based queries for data, a YAML parser can execute arbitrary Python commands resulting in command execution because load is used where safe_load should have been used. An attacker can insert Python into loaded YAML to trigger this vulnerability.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/thanethomson/MLAlchemy/commit/bc795757febdcce430d89f9d08f75c32d6989d3c

x_refsource_CONFIRM

https://github.com/thanethomson/MLAlchemy/issues/1

x_refsource_CONFIRM

https://joel-malwarebenchmark.github.io/blog/2017/11/08/cve-2017-16615-critical-restful-web-applications-vulnerability/

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

CVE-2017-16615 - Security Vulnerability | QwikSec