-
Notifications
You must be signed in to change notification settings - Fork 40
CVE-2019-20477 (High) detected in PyYAML-5.1.2.tar.gz #809
Comments
This issue/pull request has been marked as |
This issue/pull request has been marked as |
This issue/pull request has been marked as |
This issue/pull request has been marked as |
|
Closing this bug as duplicate of [EOS-23696] Upgrade PyYAML library from PyYAML-5.1.2.tar.gz to PyYAML 5.4.1 - JIRA NSS (seagate.com)
All the PyYAML related vulnerability bugs will be now tracked thru 23696 |
Duplicate of [EOS-23696] Upgrade PyYAML library from PyYAML-5.1.2.tar.gz to PyYAML 5.4.1 - JIRA NSS (seagate.com) |
CVE-2019-20477 - High Severity Vulnerability
Vulnerable Library - PyYAML-5.1.2.tar.gz
YAML parser and emitter for Python
Library home page: https://files.pythonhosted.org/packages/e3/e8/b3212641ee2718d556df0f23f78de8303f068fe29cdaa7a91018849582fe/PyYAML-5.1.2.tar.gz
Path to dependency file: cortx-prvsnr/test-requirements.txt
Path to vulnerable library: /test-requirements.txt,/test/api/python/integration/setup/test,/lr-cli,/devops/jenkins,/srv/components/system/files/cortx_py_utils_requirements.txt,/api/python/provisioner/commands/configure
Dependency Hierarchy:
Found in HEAD commit: b9f45319b784da9858a9d7416cba5c1c808b2863
Vulnerability Details
PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.
Publish Date: 2020-02-19
URL: CVE-2019-20477
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20477
Release Date: 2020-02-19
Fix Resolution: 5.2
The text was updated successfully, but these errors were encountered: