QwikSec

Security Database

CVE

CWE

Training

CVE-2020-1747

Published: Mar 24, 2020

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.1

9.8

CRITICAL

Description

A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.

Vendor	Product	Versions
Red Hat	PyYAML	affected `5.3.1`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

FEDORA-2020-40c35d7b37

vendor-advisory

x_refsource_FEDORA

FEDORA-2020-bdb0bfa928

vendor-advisory

x_refsource_FEDORA

FEDORA-2020-e9741a6a15

vendor-advisory

x_refsource_FEDORA

openSUSE-SU-2020:0507

vendor-advisory

x_refsource_SUSE

openSUSE-SU-2020:0630

vendor-advisory

x_refsource_SUSE

FEDORA-2021-3342569a0f

vendor-advisory

x_refsource_FEDORA

FEDORA-2021-eed7193502

vendor-advisory

x_refsource_FEDORA

https://www.oracle.com/security-alerts/cpujul2022.html

x_refsource_MISC

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747

x_refsource_CONFIRM

https://github.com/yaml/pyyaml/pull/386

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.