PYSEC-2020-176

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/pyyaml/PYSEC-2020-176.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2020-176
Aliases
Published
2020-02-19T04:15:00Z
Modified
2023-11-08T04:01:30.627114Z
Summary
[none]
Details

PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.

References

Affected packages

PyPI / pyyaml

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.1
Fixed
5.2b1

Affected versions

5.*

5.1
5.1.1
5.1.2