CVE-2017-18342

Description

In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.

References

Link	Tags
https://github.com/yaml/pyyaml/pull/74	third party advisory patch
https://github.com/yaml/pyyaml/blob/master/CHANGES	third party advisory release notes
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/	vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/	vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/	vendor advisory
https://github.com/marshmallow-code/apispec/issues/278	third party advisory
https://github.com/yaml/pyyaml/issues/193	third party advisory
https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load%28input%29-Deprecation
https://security.gentoo.org/glsa/202003-45	third party advisory vendor advisory

Frequently Asked Questions

What is the severity of CVE-2017-18342?: CVE-2017-18342 has been scored as a critical severity vulnerability.
How to fix CVE-2017-18342?: To fix CVE-2017-18342, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2017-18342 being actively exploited in the wild?: It is possible that CVE-2017-18342 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~4% probability that this vulnerability will be exploited by malicious actors in the next 30 days.

Description

Category

CWE-502 – Deserialization of Untrusted Data

References

Frequently Asked Questions