In ruamel.yaml through 0.16.7, the load method allows remote code execution if the application calls this method with an untrusted argument. In other words, this issue affects developers who are unaware of the need to use methods such as safe_load in these use cases.
Created python-ruamel-yaml tracking bugs for this issue: Affects: epel-all [bug 1808090] Affects: fedora-all [bug 1808089] Affects: openstack-rdo [bug 1808091]
Mitigation: Use the 'safe_load' method in place of 'load' if loading untrusted data. Alternatively use: yaml=YAML(typ='safe') yaml.load() Reference: https://yaml.readthedocs.io/en/latest/basicuse.html
Statement: While the openshift-logging-curator5-container contains the vulnerable code, and method call, it only uses it to load a configuration file, which can be considered trusted data. Therefore this component of OpenShift Container Platform is not affected. The python-openshift the dependency of OpenShift Container Platform is only used in a deprecated and unused build script (that is removed in later versions), and does not pose a risk to consumers of this library. Therefore it will not be fixed.