Bug 1860466 (CVE-2020-14343) - CVE-2020-14343 PyYAML: incomplete fix for CVE-2020-1747
Summary: CVE-2020-14343 PyYAML: incomplete fix for CVE-2020-1747
Alias: CVE-2020-14343
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1860468 1860469 1860470 1861784 1861785 1910657 1941794 1943254 1949044 1967303
Blocks: 1860471
TreeView+ depends on / blocked
Reported: 2020-07-24 17:18 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-08-10 06:07 UTC (History)
39 users (show)

Fixed In Version: PyYAML 5.4
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was discovered in the PyYAML library, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.
Clone Of:
Last Closed: 2021-06-29 16:40:23 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2583 0 None None None 2021-06-29 16:01:25 UTC
Red Hat Product Errata RHSA-2021:4702 0 None None None 2021-11-16 14:07:51 UTC

Description Guilherme de Almeida Suckevicz 2020-07-24 17:18:31 UTC
The fix made in PyYAML for CVE-2020-1747 was not sufficient to resolve the issue.


Comment 1 Guilherme de Almeida Suckevicz 2020-07-24 17:34:13 UTC
Created PyYAML tracking bugs for this issue:

Affects: fedora-all [bug 1860469]

Created python2-pyyaml tracking bugs for this issue:

Affects: epel-all [bug 1860470]

Created python3-PyYAML tracking bugs for this issue:

Affects: epel-all [bug 1860468]

Comment 2 Summer Long 2020-07-27 02:07:52 UTC
OpenStack: set to 'notaffected' because the packaged RHOSP version (PyYAML-3.10-11.el7) doesn't have the FullLoader code (lib/yaml/loader.py and constructor.py).

Comment 6 Riccardo Schirone 2020-07-29 13:34:15 UTC

Use `yaml.safe_load` or the SafeLoader loader when you parse untrusted input.

Comment 7 Riccardo Schirone 2020-07-29 13:41:22 UTC
FullLoader, which is the class where this vulnerability lies, was introduced in upstream version 5.1.

Comment 8 Riccardo Schirone 2020-07-29 14:24:35 UTC
The fix for CVE-2020-1747 was to implement a blacklist that prevented some properties to be set when deserializing python objects. However, it is still possible to bypass such blacklist by carefully nesting objects.

Comment 13 Riccardo Schirone 2020-09-24 08:09:34 UTC
Upstream opinion on the topic: https://github.com/yaml/pyyaml/issues/420#issuecomment-696752389 .

Comment 15 John Eckersberg 2021-01-15 14:15:07 UTC
Oops sorry closed the wrong bug.

Currently getting fixed in Fedora here - https://bugzilla.redhat.com/show_bug.cgi?id=1916496

Once it goes stable I'll update the fedora CVE bug.

Comment 16 Sam Fowler 2021-01-20 01:14:25 UTC
Upstream fix:


Comment 22 Jason Shepherd 2021-04-16 06:02:54 UTC

Ansible Tower 3.7 uses affected version of PyYAML 3.12 from RHEL, but the use of load() is specified with a SafeLoader when it is called. So Ansible Tower and Ansible Engine are not affected.

Red Hat Quay, from version 3.4 uses the safe_load function which is not affected by this issue. See [1].

Even though the CVSSv3 for this flaw is 9.8, the Impact has been set to Moderate because PyYAML provides a specific method to deal with untrusted input, which is `yaml.safe_load`. `yaml.safe_load` or the SafeLoader loader should be used whenever the input YAML can be modified by a malicious user.

[1] https://github.com/quay/quay/pull/603

Comment 28 errata-xmlrpc 2021-06-29 16:01:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2583 https://access.redhat.com/errata/RHSA-2021:2583

Comment 29 Product Security DevOps Team 2021-06-29 16:40:23 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 30 errata-xmlrpc 2021-11-16 14:07:49 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.10 for RHEL 7

Via RHSA-2021:4702 https://access.redhat.com/errata/RHSA-2021:4702

Note You need to log in before you can comment on or make changes to this bug.