Bug 1709598 (CVE-2019-10135) - CVE-2019-10135 osbs-client: Object injection through insecure use of yaml.load() function
Summary: CVE-2019-10135 osbs-client: Object injection through insecure use of yaml.loa...
Alias: CVE-2019-10135
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1722329
Blocks: 1709600
TreeView+ depends on / blocked
Reported: 2019-05-13 22:58 UTC by Pedro Sampaio
Modified: 2019-09-29 15:13 UTC (History)
10 users (show)

Fixed In Version: osbs-client 0.56.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the yaml.load() function in the osbs-client prior to version 0.56.1. Insecure use of the yaml.load() function allowed the user to load any suspicious object for code execution via the parsing of malicious YAML files.
Clone Of:
Last Closed: 2019-06-25 13:05:05 UTC

Attachments (Terms of Use)

Description Pedro Sampaio 2019-05-13 22:58:49 UTC
A flaw was found in osbs-client. yaml.load() is used for insecure user input instead of yaml.load_safe(). Thus osbs-client allows to load any
suspicious objects given by user.

Comment 3 Sam Fowler 2019-05-14 00:53:39 UTC

Name: Martin Bašti (Red Hat)

Comment 6 Dave Baker 2019-05-14 19:02:35 UTC
Upstream is: https://github.com/projectatomic/osbs-client

Comment 7 Dave Baker 2019-05-14 19:10:52 UTC
epel-6 (osbs-client-0.24-1.el6.src.rpm) and epel-7 (osbs-client-0.32-1.el7.src.rpm) both predate the problematic code, introduced in Jan 2018 with "import yaml"

Comment 8 Sam Fowler 2019-05-15 01:25:08 UTC
yaml.load() first introduced in version 0.46:


Comment 9 Sam Fowler 2019-06-20 05:23:22 UTC
Upstream Fix:


Comment 10 Sam Fowler 2019-06-20 05:28:38 UTC
Created osbs-client tracking bugs for this issue:

Affects: fedora-all [bug 1722329]

Note You need to log in before you can comment on or make changes to this bug.