CVE-2020-1747: user/py3-pyyaml: full_load/FullLoader ACE
| Bugzilla ID | 251 |
| Alias(es) | CVE-2020-1747 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-03 14:13:06 -0500 |
| Modified | 2020-06-15 16:39:00 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2020-1747 |
Description
A vulnerability was discovered in the PyYAML library in versions
before 5.3.1, where it is susceptible to arbitrary code execution when
it processes untrusted YAML files through the full_load method or with
the FullLoader loader. Applications that use the library to process
untrusted input may be vulnerable to this flaw. An attacker could use
this flaw to execute arbitrary code on the system by abusing the
python/object/new constructor.