CVE-2020-1747

high-risk

Published 2020-03-24

A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.

Do I need to act?

3.1% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (7)

Pyyaml

Fedora

Leap

Communications Cloud Native Core Network Function Cloud Native Environment

Affected Vendors

Oracle Fedoraproject Opensuse Pyyaml

References (20)

Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747

Patch https://github.com/yaml/pyyaml/pull/386

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Patch https://www.oracle.com/security-alerts/cpujul2022.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747

Patch https://github.com/yaml/pyyaml/pull/386

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Patch https://www.oracle.com/security-alerts/cpujul2022.html

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 6/34 · Minimal

Exposure 14/34 · Moderate