An arbitrary code execution was discovered in PyYAML when YAML files are parsed by FullLoader. This loader is used by default by yaml.load() when no loader is specified or when yaml.full_load() is used. Applications that use PyYAML to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to execute arbitrary code on the system, by abusing the python/object/new constructor.
Acknowledgments: Name: Riccardo Schirone (Red Hat)
FullLoader, which is the class where this vulnerability lies, was introduced in upstream version 5.1.
Even though the CVSS is 9.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, the Impact of this flaw is set to Medium as `yaml.load`/`yaml.full_load` should not be used on untrusted input. When untrusted input needs to be parsed, `SafeLoader` or `yaml.safe_load` must be used instead. This has been documented for a very long time in PyYAML.
Mitigation: Use `yaml.safe_load` or the SafeLoader loader when you parse untrusted input.
Statement: Red Hat Quay 3.2 uses the vulnerable load function, but only to parse the Nginx configuration file, which only contains trusted data.
Upstream PR: https://github.com/yaml/pyyaml/pull/386
Created PyYAML tracking bugs for this issue: Affects: fedora-all [bug 1809011]
OpenStack: set to 'notaffected' because the packaged RHOSP version (PyYAML-3.10-11.el7) doesn't have the FullLoader code (lib/yaml/loader.py and constructor.py).
Upstream fix: https://github.com/yaml/pyyaml/commit/5080ba513377b6355a0502104846ee804656f1e0
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-1747
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4641 https://access.redhat.com/errata/RHSA-2020:4641