Bug 1808088 (CVE-2019-20478) - CVE-2019-20478 python-ruamel-yaml: code execution through load() method with an untrusted argument
Summary: CVE-2019-20478 python-ruamel-yaml: code execution through load() method with ...
Keywords:
Status: NEW
Alias: CVE-2019-20478
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 1808090 1808089 1808091 1808261 1808262 1808269 1808270 1808272 1808273 1808275
Blocks: 1808092
TreeView+ depends on / blocked
 
Reported: 2020-02-27 19:07 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-07-07 08:30 UTC (History)
21 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was discovered in the ruamel.yaml library, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the load() method. Applications that use ruamel.yaml to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/apply constructor.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-02-27 19:07:08 UTC 
In ruamel.yaml through 0.16.7, the load method allows remote code execution if the application calls this method with an untrusted argument. In other words, this issue affects developers who are unaware of the need to use methods such as safe_load in these use cases.
Comment 1 Guilherme de Almeida Suckevicz 2020-02-27 19:07:38 UTC 
Created python-ruamel-yaml tracking bugs for this issue:

Affects: epel-all [bug 1808090]
Affects: fedora-all [bug 1808089]
Affects: openstack-rdo [bug 1808091]
Comment 10 Sam Fowler 2020-03-03 08:16:51 UTC 
Mitigation:

Use the 'safe_load' method in place of 'load' if loading untrusted data. Alternatively use:
yaml=YAML(typ='safe') 
yaml.load()

Reference: https://yaml.readthedocs.io/en/latest/basicuse.html
Comment 12 Jason Shepherd 2020-08-17 22:48:32 UTC 
Statement:

While the openshift-logging-curator5-container contains the vulnerable code, and method call, it only uses it to load a configuration file, which can be considered trusted data. Therefore this component of OpenShift Container Platform is not affected.

The python-openshift the dependency of OpenShift Container Platform is only used in a deprecated and unused build script (that is removed in later versions), and does not pose a risk to consumers of this library. Therefore it will not be fixed.
Note You need to log in before you can comment on or make changes to this bug.