This repository has been archived by the owner on May 22, 2024. It is now read-only.
CVE-2019-20477 (Critical) detected in PyYAML-5.1.1.tar.gz #128
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
CVE-2019-20477 - Critical Severity Vulnerability
YAML parser and emitter for Python
Library home page: https://files.pythonhosted.org/packages/a3/65/837fefac7475963d1eccf4aa684c23b95aa6c1d033a2c5965ccb11e22623/PyYAML-5.1.1.tar.gz
Path to dependency file: /gubernator/test_requirements.txt
Path to vulnerable library: /gubernator/test_requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 382b29d19019bd87f2a1548fdf019dc9d51f5328
Found in base branch: improbable
PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.
Publish Date: 2020-02-19
URL: CVE-2019-20477
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20477
Release Date: 2020-02-19
Fix Resolution: 5.2
The text was updated successfully, but these errors were encountered: