CVE-2020-1747 — CRITICAL (9.8)

Q: How severe is CVE-2020-1747?

CVE-2020-1747 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2020-1747?

Check the references section above for vendor advisories and patch information. Affected products include: Pyyaml Pyyaml, Fedoraproject Fedora, Opensuse Leap, Oracle Communications Cloud Native Core Network Function Cloud Native Environment.

Vulnerability Description

A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Pyyaml	Pyyaml	>= 5.1, < 5.3.1
Fedoraproject	Fedora	30
Opensuse	Leap	15.1
Oracle	Communications Cloud Native Core Network Function Cloud Native Environment	22.1.0

Related Weaknesses (CWE)

CWE-20

References

http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.htmlMailing ListThird Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747Issue TrackingPatchThird Party Advisory
https://github.com/yaml/pyyaml/pull/386PatchThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.htmlMailing ListThird Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747Issue TrackingPatchThird Party Advisory
https://github.com/yaml/pyyaml/pull/386PatchThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro

FAQ

What is CVE-2020-1747?

CVE-2020-1747 is a vulnerability with a CVSS score of 9.8 (CRITICAL). A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method o...

How severe is CVE-2020-1747?

CVE-2020-1747 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2020-1747?

Check the references section above for vendor advisories and patch information. Affected products include: Pyyaml Pyyaml, Fedoraproject Fedora, Opensuse Leap, Oracle Communications Cloud Native Core Network Function Cloud Native Environment.