CVE-2019-20477 (High) detected in PyYAML-5.1.2.tar.gz

[mend-bolt-for-github]

CVE-2019-20477 - High Severity Vulnerability

Vulnerable Library - PyYAML-5.1.2.tar.gz

YAML parser and emitter for Python

Library home page: https://files.pythonhosted.org/packages/e3/e8/b3212641ee2718d556df0f23f78de8303f068fe29cdaa7a91018849582fe/PyYAML-5.1.2.tar.gz

Path to dependency file: cortx-prvsnr/test-requirements.txt

Path to vulnerable library: /test-requirements.txt,/test/api/python/integration/setup/test,/lr-cli,/devops/jenkins,/srv/components/system/files/cortx_py_utils_requirements.txt,/api/python/provisioner/commands/configure

Dependency Hierarchy:

• ❌ PyYAML-5.1.2.tar.gz (Vulnerable Library)

Found in HEAD commit: b9f45319b784da9858a9d7416cba5c1c808b2863

Vulnerability Details

PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.

Publish Date: 2020-02-19

URL: CVE-2019-20477

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20477

Release Date: 2020-02-19

Fix Resolution: 5.2

[stale]

This issue/pull request has been marked as needs attention as it has been left pending without new activity for 4 days. Tagging @83bhp @andkononykhin2 for appropriate assignment. Sorry for the delay & Thank you for contributing to CORTX. We will get back to you as soon as possible.

[stale]

This issue/pull request has been marked as needs attention as it has been left pending without new activity for 4 days. Tagging @83bhp @andkononykhin2 for appropriate assignment. Sorry for the delay & Thank you for contributing to CORTX. We will get back to you as soon as possible.

[stale]

This issue/pull request has been marked as needs attention as it has been left pending without new activity for 4 days. Tagging @83bhp @andkononykhin2 for appropriate assignment. Sorry for the delay & Thank you for contributing to CORTX. We will get back to you as soon as possible.

[stale]

This issue/pull request has been marked as needs attention as it has been left pending without new activity for 4 days. Tagging @83bhp @andkononykhin2 for appropriate assignment. Sorry for the delay & Thank you for contributing to CORTX. We will get back to you as soon as possible.

[cortx-admin]

Swanand Gadre commented in Jira Server:

[cortx-admin]

Swanand Gadre commented in Jira Server:

Closing this bug as duplicate of [EOS-23696] Upgrade PyYAML library from PyYAML-5.1.2.tar.gz to PyYAML 5.4.1 - JIRA NSS (seagate.com)

 

All the PyYAML related vulnerability bugs will be now tracked thru 23696

[cortx-admin]

Swanand Gadre commented in Jira Server:

Duplicate of [EOS-23696] Upgrade PyYAML library from PyYAML-5.1.2.tar.gz to PyYAML 5.4.1 - JIRA NSS (seagate.com)