Published: 27/10/2014 Updated: 18/12/2014

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

VMScore: 668

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

emitters.py in Django Piston prior to 0.2.3 and 0.2.x prior to 0.2.2.1 does not properly deserialize YAML data, which allows remote malicious users to execute arbitrary Python code via vectors related to the yaml.load method.

Vulnerable Product	Search on Vulmon	Subscribe to Product
djangoproject piston

Debian Bug report logs - #647315 Security issue (no CVE yet) Package: python-django-piston; Maintainer for python-django-piston is Debian Python Modules Team <python-modules-team@listsaliothdebianorg>; Source for python-django-piston is src:python-django-piston (PTS, buildd, popcon) Reported by: Moritz Muehlenhoff <jmm ...

It was discovered that the Piston framework can deserializes untrusted YAML and Pickle data, leading to remote code execution (CVE-2011-4103) The old stable distribution (lenny) does not contain a python-django-piston package For the stable distribution (squeeze), this problem has been fixed in version 022-1+squeeze1 For the testing distribut ...

CWE-20 https://bugzilla.redhat.com/show_bug.cgi?id=750658 http://www.openwall.com/lists/oss-security/2011/11/01/10 https://bitbucket.org/jespern/django-piston/commits/91bdaec89543/http://www.debian.org/security/2011/dsa-2344 https://www.djangoproject.com/weblog/2011/nov/01/piston-and-tastypie-security-releases/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=647315 https://nvd.nist.gov https://www.debian.org/security/./dsa-2344

CVE-2011-4103

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect