#VU21781 Input validation error in PyYAML - CVE-2017-18342

Cybersecurity Help s.r.o.

Published: 2019-10-15

Vulnerability identifier: #VU21781

Vulnerability risk: High

CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2017-18342

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PyYAML
Web applications / Modules and components for CMS

Vendor: The YAML Project

Description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to insufficient validation of user-supplied input in the "yaml.load()" API (yaml.safe_load is not used). A remote attacker can execute arbitrary code on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

PyYAML: 3.01 - 3.13

External links
https://github.com/yaml/pyyaml/blob/master/CHANGES
https://github.com/yaml/pyyaml/pull/74

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Cloud Pak for Business Automation

Multiple vulnerabilities in IBM Security Verify Access

Multiple vulnerabilities in IBM Cloud Pak for Security (CP4S)

Anolis OS update for python38:3.8 module

Gentoo update for PyYAML

Fedora 28 update for PyYAML

Fedora 29 update for PyYAML

Fedora 30 update for PyYAML

Remote code execution in PyYAML component for Python