CVE-2017-18342 — CRITICAL (9.8)

Q: How severe is CVE-2017-18342?

CVE-2017-18342 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2017-18342?

Check the references section above for vendor advisories and patch information. Affected products include: Pyyaml Pyyaml, Fedoraproject Fedora.

Vulnerability Description

In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Pyyaml	Pyyaml	< 5.1
Fedoraproject	Fedora	28

Related Weaknesses (CWE)

CWE-502

References

https://github.com/marshmallow-code/apispec/issues/278Third Party Advisory
https://github.com/yaml/pyyaml/blob/master/CHANGESRelease NotesThird Party Advisory
https://github.com/yaml/pyyaml/issues/193Third Party Advisory
https://github.com/yaml/pyyaml/pull/74PatchThird Party Advisory
https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load%28input%29-Deprecation
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202003-45Third Party Advisory
https://github.com/marshmallow-code/apispec/issues/278Third Party Advisory
https://github.com/yaml/pyyaml/blob/master/CHANGESRelease NotesThird Party Advisory
https://github.com/yaml/pyyaml/issues/193Third Party Advisory
https://github.com/yaml/pyyaml/pull/74PatchThird Party Advisory
https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load%28input%29-Deprecation
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro

FAQ

What is CVE-2017-18342?

CVE-2017-18342 is a vulnerability with a CVSS score of 9.8 (CRITICAL). In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced fo...

How severe is CVE-2017-18342?

CVE-2017-18342 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2017-18342?

Check the references section above for vendor advisories and patch information. Affected products include: Pyyaml Pyyaml, Fedoraproject Fedora.