CVE-2020-1747

CVE-2020-1747

Name

CVE-2020-1747

Description

A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.

NVD Severity

high

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Issue Tracking	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747
Patch	https://github.com/yaml/pyyaml/pull/386
Mailing List	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/
Mailing List	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/
Mailing List	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/
Mailing List	http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html
Mailing List	http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html
Mailing List	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MMQXSZXNJT6ERABJZAAICI3DQSQLCP3D/
Mailing List	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7PPAS6C4SZRDQLR7C22A5U3QOLXY33JX/

Type

URI

Issue Tracking

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747

Patch

https://github.com/yaml/pyyaml/pull/386

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/

Mailing List

http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html

Mailing List

http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MMQXSZXNJT6ERABJZAAICI3DQSQLCP3D/

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7PPAS6C4SZRDQLR7C22A5U3QOLXY33JX/

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:pyyaml:pyyaml::::::::`	pyyaml	>= 5.1	< 5.3.1

CPE URI

Source package

Min version

Max version

cpe:2.3:a:pyyaml:pyyaml:*:*:*:*:*:*:*:*

pyyaml

>= 5.1

< 5.3.1

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
py3-yaml	edge-main	5.3.1-r0	None	fixed
py3-yaml	3.22-main	5.3.1-r0	None	fixed
py3-yaml	3.21-main	5.3.1-r0	None	fixed
py3-yaml	3.20-main	5.3.1-r0	None	fixed
py3-yaml	3.19-main	5.3.1-r0	None	fixed
py3-yaml	3.18-main	5.3.1-r0	None	fixed
py3-yaml	3.17-main	5.3.1-r0	None	fixed
py3-yaml	3.12-main	5.3.1-r0	None	fixed
py3-yaml	3.11-main	5.3.1-r0	None	fixed

Source package

Branch

Version

Maintainer

Status

py3-yaml

edge-main

5.3.1-r0

None

fixed

py3-yaml

3.22-main