CVE-2020-14343

Publication date 9 February 2021

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

9.8 · Critical

Score breakdown

A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.

Read the notes from the security team

Status

Package Ubuntu Release Status
pyyaml 21.04 hirsute
Fixed 5.3.1-3ubuntu1
20.10 groovy
Fixed 5.3.1-2ubuntu0.1
20.04 LTS focal
Fixed 5.3.1-1ubuntu0.1
18.04 LTS bionic
Not affected
16.04 LTS xenial
Not affected
14.04 LTS trusty
Not affected

Notes


sbeattie

incomplete fix of CVE-2020-1747


mdeslaur

FullLoader was introduced in 5.1. FullLoader should not be used on untrusted input.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
pyyaml

Severity score breakdown

Parameter Value
Base score 9.8 · Critical
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

Other references