Bug 1807367 (CVE-2020-1747)
Summary: | CVE-2020-1747 PyYAML: arbitrary command execution through python/object/new when FullLoader is used | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Riccardo Schirone <rschiron> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | bdettelb, dbecker, hhorak, jeckersb, jjoyce, jorton, jschluet, kmullins, lbalhar, lhh, lpeer, mburns, orion, python-maint, sclewis, security-response-team, slinaber, TicoTimo, tomckay |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | PyYAML 5.3.1 | Doc Type: | If docs needed, set a value |
Doc Text: |
A vulnerability was discovered in the PyYAML library, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-11-04 02:24:31 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1809010, 1809011, 1810083, 1910658 | ||
Bug Blocks: | 1807368 |
Description
Riccardo Schirone
2020-02-26 08:26:35 UTC
Acknowledgments: Name: Riccardo Schirone (Red Hat) FullLoader, which is the class where this vulnerability lies, was introduced in upstream version 5.1. Even though the CVSS is 9.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, the Impact of this flaw is set to Medium as `yaml.load`/`yaml.full_load` should not be used on untrusted input. When untrusted input needs to be parsed, `SafeLoader` or `yaml.safe_load` must be used instead. This has been documented for a very long time in PyYAML. Mitigation: Use `yaml.safe_load` or the SafeLoader loader when you parse untrusted input. Statement: Red Hat Quay 3.2 uses the vulnerable load function, but only to parse the Nginx configuration file, which only contains trusted data. Upstream PR: https://github.com/yaml/pyyaml/pull/386 Created PyYAML tracking bugs for this issue: Affects: fedora-all [bug 1809011] OpenStack: set to 'notaffected' because the packaged RHOSP version (PyYAML-3.10-11.el7) doesn't have the FullLoader code (lib/yaml/loader.py and constructor.py). This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-1747 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4641 https://access.redhat.com/errata/RHSA-2020:4641 |