Published: 24/03/2020 Updated: 07/11/2023

CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 891

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

A vulnerability exists in the PyYAML library in versions prior to 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.

Vulnerable Product	Search on Vulmon	Subscribe to Product
pyyaml pyyaml
fedoraproject fedora 30
fedoraproject fedora 31
fedoraproject fedora 32
fedoraproject fedora 33
opensuse leap 15.1
oracle communications cloud native core network function cloud native environment 22.1.0

Synopsis Moderate: python38:38 security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Topic An update for the python38:38 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vul ...

Debian Bug report logs - #953013 pyyaml: CVE-2020-1747: arbitrary command execution through python/object/new when FullLoader is used Package: src:pyyaml; Maintainer for src:pyyaml is Debian Python Modules Team <python-modules-team@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: T ...

Debian Bug report logs - #966233 pyyaml: CVE-2020-14343 Package: src:pyyaml; Maintainer for src:pyyaml is Debian Python Modules Team <python-modules-team@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 25 Jul 2020 07:36:01 UTC Severity: important Tags: security, upstream Fo ...

Experimenting with the CVE-2020-14343 PyYAML vulnerability

pyyaml-CVE-2020-14343 Testing the CVE-2020-14343 vulnerability that affects the PyYAML library (version<54) "where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader" [BUG] The whole testing setup is contained within the test_yaml_vuln package which must be installed

DevSecOps workflow description For purpose of this technical assignement we use DVPWA app DVPWA is an intentionally vulnerable application This repo is a clone of DVPWA and is used for devsecops workflow technical challenges For SAST and SCA analysis of the code, we use Horusec open-source tool In this case, we use only CLI, which is not integrated with web UI of Horusec T

CWE-20 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747 https://github.com/yaml/pyyaml/pull/386 http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html https://www.oracle.com/security-alerts/cpujul2022.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MMQXSZXNJT6ERABJZAAICI3DQSQLCP3D/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7PPAS6C4SZRDQLR7C22A5U3QOLXY33JX/https://access.redhat.com/errata/RHSA-2020:4641 https://nvd.nist.gov https://github.com/raul23/pyyaml-CVE-2020-14343

CVE-2020-1747

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect