Published: 27 June 2018
In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.
CVSS 3 base score: 9.8
The patch changes the incredibly-unsafe yaml.load to the behaviour of safe_load; despite being many years overdue, it's also likely to break something.
upstream has reverted the 4.1 fix, so as of 2020-10-06, there is no proper fix for this issue for stable releases, and fixing it is likely to cause compatibility issues. In stable releases individual software would need to be fixed instead of pyyaml itself. We are not going to be fixing pyyaml itself, marking as ignored.