Fedora Account System
Red Hat Associate
Red Hat Customer
An arbitrary code execution was discovered in PyYAML when YAML files are parsed by FullLoader. This loader is used by default by yaml.load() when no loader is specified or when yaml.full_load() is used. Applications that use PyYAML to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to execute arbitrary code on the system, by abusing the python/object/new constructor.
Acknowledgments: Name: Riccardo Schirone (Red Hat)
FullLoader, which is the class where this vulnerability lies, was introduced in upstream version 5.1.
Even though the CVSS is 9.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, the Impact of this flaw is set to Medium as `yaml.load`/`yaml.full_load` should not be used on untrusted input. When untrusted input needs to be parsed, `SafeLoader` or `yaml.safe_load` must be used instead. This has been documented for a very long time in PyYAML.
Mitigation: Use `yaml.safe_load` or the SafeLoader loader when you parse untrusted input.
Statement: Red Hat Quay 3.2 uses the vulnerable load function, but only to parse the Nginx configuration file, which only contains trusted data.
Upstream PR: https://github.com/yaml/pyyaml/pull/386
Created PyYAML tracking bugs for this issue: Affects: fedora-all [bug 1809011]
OpenStack: set to 'notaffected' because the packaged RHOSP version (PyYAML-3.10-11.el7) doesn't have the FullLoader code (lib/yaml/loader.py and constructor.py).
Upstream fix: https://github.com/yaml/pyyaml/commit/5080ba513377b6355a0502104846ee804656f1e0
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-1747
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4641 https://access.redhat.com/errata/RHSA-2020:4641