Bug 1806005 (CVE-2019-20477) - CVE-2019-20477 PyYAML: command execution through python/object/apply constructor in FullLoader
Summary: CVE-2019-20477 PyYAML: command execution through python/object/apply construc...
Alias: CVE-2019-20477
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1806010 1806011 1806013 1807434 1810084
Blocks: 1806012
TreeView+ depends on / blocked
Reported: 2020-02-21 20:02 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-02-16 20:32 UTC (History)
20 users (show)

Fixed In Version: pyYAML 5.2
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was discovered in the PyYAML library, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/apply constructor.
Clone Of:
Last Closed: 2020-11-04 02:24:28 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4641 0 None None None 2020-11-04 02:35:50 UTC
Red Hat Product Errata RHSA-2021:0420 0 None None None 2021-02-04 16:14:35 UTC

Description Guilherme de Almeida Suckevicz 2020-02-21 20:02:23 UTC
PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.


Comment 1 Guilherme de Almeida Suckevicz 2020-02-21 20:04:26 UTC
Created PyYAML tracking bugs for this issue:

Affects: fedora-all [bug 1806010]

Created python2-pyyaml tracking bugs for this issue:

Affects: epel-all [bug 1806011]

Created python3-PyYAML tracking bugs for this issue:

Affects: epel-all [bug 1806013]

Comment 2 Summer Long 2020-02-24 05:04:06 UTC
RHOSP: This flaw is a result of incomplete fixes from CVE-2017-18342; the OpenStack analysis at that time still applies.

Comment 5 Riccardo Schirone 2020-02-25 10:25:16 UTC
Lowering the Impact of the flaw to Moderate as, same for CVE-2017-18342, load and load_all functions were already known to be unsafe and they should not be used with untrusted input.

Comment 6 Riccardo Schirone 2020-02-25 11:19:38 UTC
The issue is in the new Loader called FullLoader introduced in PyYAML 5.1, which was supposed to fix CVE-2017-18342. FullLoader is used by default by the yaml.load function and it was thought it was safer as explained in https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation. However, it is still possible to execute arbitrary code by using the python/object/apply constructor.

Upstream PR:

Upstream fix:

Comment 9 Riccardo Schirone 2020-02-25 17:18:47 UTC
Even though the CVSS is 9.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, the Impact of this flaw is set to Medium as `yaml.load`/`yaml.full_load` should not be used on untrusted input. When untrusted input needs to be parsed, `SafeLoader` or `yaml.safe_load` must be used instead. This has been documented for a very long time in PyYAML.

Comment 10 Riccardo Schirone 2020-02-26 10:35:37 UTC
FullLoader, which is the class where this vulnerability lies, was introduced in upstream version 5.1.
Red Hat Enterprise Linux 7 and 8 currently ship an older version of PyYAML, that does not contain the vulnerable class, so they are not affected.

Comment 12 Riccardo Schirone 2020-02-26 10:43:23 UTC

Use `yaml.safe_load` or the SafeLoader loader when you parse untrusted input.

Comment 14 Jason Shepherd 2020-02-27 00:55:58 UTC

This issue did not affect the versions of PyYAML as shipped with Red Hat Enterprise Linux 7, and 8 as they did not include the class FullLoader, which contains this vulnerability.

The PyYAML libary that is provided in the Red Hat OpenStack repositories is vulnerable. However, because there are no instances where this library is used in a way which exposes the vulnerability, the impact to OpenStack products has been reduced to 'low' and Red Hat will not be providing a fix at this time.  Any updates will be through RHEL channels.

Red Hat Quay 3.2 uses the vulnerable load function, but only to parse the Nginx configuration file, which only contains trusted data.

Comment 20 Product Security DevOps Team 2020-11-04 02:24:28 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 21 errata-xmlrpc 2020-11-04 02:35:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4641 https://access.redhat.com/errata/RHSA-2020:4641

Comment 22 errata-xmlrpc 2021-02-04 16:14:32 UTC
This issue has been addressed in the following products:

  Red Hat Quay 3

Via RHSA-2021:0420 https://access.redhat.com/errata/RHSA-2021:0420

Note You need to log in before you can comment on or make changes to this bug.