CVE-2017-18342

Published: 27 June 2018

In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.

Priority

Low

CVSS 3 base score: 9.8

Status

Package Release Status
pyyaml
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(5.1.2-1)
Ubuntu 18.04 LTS (Bionic Beaver) Ignored

Ubuntu 16.04 ESM (Xenial Xerus) Ignored

Ubuntu 14.04 ESM (Trusty Tahr) Ignored

Notes

AuthorNote
seth-arnold
The patch changes the incredibly-unsafe yaml.load to the
behaviour of safe_load; despite being many years overdue, it's also
likely to break something.
mdeslaur
upstream has reverted the 4.1 fix, so as of 2020-10-06, there
is no proper fix for this issue for stable releases, and fixing
it is likely to cause compatibility issues. In stable releases
individual software would need to be fixed instead of pyyaml
itself. We are not going to be fixing pyyaml itself, marking as
ignored.

References

Bugs