CVE-2017-18342

high-risk

Published 2018-06-27

In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.

Do I need to act?

4.5% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Fix available

Upgrade to: e471e86bf6dabdad45a1438c20a4a5c033eb9034

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (4)

Pyyaml

Fedora

Affected Vendors

Fedoraproject Pyyaml

References (18)

Third Party Advisory https://github.com/marshmallow-code/apispec/issues/278

Release Notes https://github.com/yaml/pyyaml/blob/master/CHANGES

Third Party Advisory https://github.com/yaml/pyyaml/issues/193

Patch https://github.com/yaml/pyyaml/pull/74

https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load%28input%29-Deprecation

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Third Party Advisory https://security.gentoo.org/glsa/202003-45

Third Party Advisory https://github.com/marshmallow-code/apispec/issues/278

Release Notes https://github.com/yaml/pyyaml/blob/master/CHANGES

Third Party Advisory https://github.com/yaml/pyyaml/issues/193

Patch https://github.com/yaml/pyyaml/pull/74

https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load%28input%29-Deprecation

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Third Party Advisory https://security.gentoo.org/glsa/202003-45

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 8/34 · Low

Exposure 10/34 · Low