CVE-2019-20477 (Critical) detected in PyYAML-5.1.1.tar.gz #220
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2019-20477 - Critical Severity Vulnerability
YAML parser and emitter for Python
Library home page: https://files.pythonhosted.org/packages/a3/65/837fefac7475963d1eccf4aa684c23b95aa6c1d033a2c5965ccb11e22623/PyYAML-5.1.1.tar.gz
Path to dependency file: /asynql/docs/requirements.txt
Path to vulnerable library: /teSource-ArchiveExtractor_c7182848-0dc6-4a0a-8209-5c716eca17c9/20190619005844_75866/20190619005751_depth_0/29/py-1.8.0-py2.py3-none-any/py,/teSource-ArchiveExtractor_c7182848-0dc6-4a0a-8209-5c716eca17c9/20190619005844_75866/20190619005751_depth_0/40/PyYAML-5.1.1.tar/PyYAML-5.1.1
Dependency Hierarchy:
Found in base branch: master
PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.
Publish Date: 2020-02-19
URL: CVE-2019-20477
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20477
Release Date: 2020-02-19
Fix Resolution: 5.2
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: