From 2acbd03da0c12f63b77be9348b7f1d662322cc7d Mon Sep 17 00:00:00 2001 From: Dmitry Marakasov Date: Wed, 2 Jun 2021 21:36:44 +0300 Subject: security/vuxml: add entry for PyYAML CVE-2020-14343 PR: 256220 --- security/vuxml/vuln.xml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) (limited to 'security/vuxml/vuln.xml') diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index f59756dc1458..5e3fb6707996 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -76,6 +76,42 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> + + PyYAML -- arbitrary code execution + + + py36-yaml + py37-yaml + py38-yaml + py39-yaml + 5.4 + + + + +

A vulnerability was discovered in the PyYAML library + in versions before 5.4, where it is susceptible to arbitrary + code execution when it processes untrusted YAML files + through the full_load method or with the FullLoader loader. + Applications that use the library to process untrusted + input may be vulnerable to this flaw. This flaw allows + an attacker to execute arbitrary code on the system by + abusing the python/object/new constructor. This flaw is + due to an incomplete fix for CVE-2020-1747.

+ + + + CVE-2020-14343 + https://github.com/yaml/pyyaml/issues/420 + https://access.redhat.com/security/cve/CVE-2020-14343 + https://bugzilla.redhat.com/show_bug.cgi?id=1860466 + + + 2020-07-22 + 2021-06-02 + + + isc-dhcp -- remotely exploitable vulnerability -- cgit v1.2.3