Vulnerability Description
In the marshmallow library before 2.15.1 and 3.x before 3.0.0b9 for Python, the schema "only" option treats an empty list as implying no "only" option, which allows a request that was intended to expose no fields to instead expose all fields (if the schema is being filtered dynamically using the "only" option, and there is a user role that produces an empty value for "only").
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Marshmallow Project | Marshmallow | < 2.15.1 |
References
- https://github.com/marshmallow-code/marshmallow/issues/772Issue TrackingThird Party Advisory
- https://github.com/marshmallow-code/marshmallow/pull/777Third Party Advisory
- https://github.com/marshmallow-code/marshmallow/pull/782Third Party Advisory
- https://github.com/marshmallow-code/marshmallow/issues/772Issue TrackingThird Party Advisory
- https://github.com/marshmallow-code/marshmallow/pull/777Third Party Advisory
- https://github.com/marshmallow-code/marshmallow/pull/782Third Party Advisory
FAQ
What is CVE-2018-17175?
CVE-2018-17175 is a vulnerability with a CVSS score of 5.3 (MEDIUM). In the marshmallow library before 2.15.1 and 3.x before 3.0.0b9 for Python, the schema "only" option treats an empty list as implying no "only" option, which allows a request that was intended to expo...
How severe is CVE-2018-17175?
CVE-2018-17175 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-17175?
Check the references section above for vendor advisories and patch information. Affected products include: Marshmallow Project Marshmallow.