Product Research Enterprise Plans Docs

PyPi: Seldon-Core

CVE-2017-18342

Transitive

Safety vulnerability ID: 40781

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Jun 27, 2018 Updated at Dec 05, 2024

Scan your Python projects for vulnerabilities →

Advisory

Seldon-core 1.6.0 uses yaml.safe_load() instead of yaml.load() to avoid a potential code execution vulnerability.

Affected package

seldon-core

Latest version: 1.18.2

Seldon Core client and microservice wrapper

Affected versions

Fixed versions

Vulnerability changelog

[v1.6.0](https://github.com/seldonio/seldon-core/tree/v1.6.0) (2021-02-03)

[Full Changelog](https://github.com/seldonio/seldon-core/compare/v1.5.1...v1.6.0)

**Implemented enhancements:**

- Create a prepackaged model server for PyTorch Models [\831](https://github.com/SeldonIO/seldon-core/issues/831)

**Fixed bugs:**

- IsADirectoryError: \[Errno 21\] Is a directory: '/mnt/models' [\2876](https://github.com/SeldonIO/seldon-core/issues/2876)
- error: a container name must be specified for pod [\2875](https://github.com/SeldonIO/seldon-core/issues/2875)
- MLFlow server-- ModuleNotFoundError: No module named 'prediction' [\2874](https://github.com/SeldonIO/seldon-core/issues/2874)
- V1 CRD has missing grpcPort and httpPort [\2866](https://github.com/SeldonIO/seldon-core/issues/2866)
- Broken Link to Documentation Example I'd like to find if it exists [\2836](https://github.com/SeldonIO/seldon-core/issues/2836)
- Executor does not send feedback to Routers. [\2827](https://github.com/SeldonIO/seldon-core/issues/2827)
- ArgoCD OutOfSync if SeldonDeployment includes mountpoint [\2811](https://github.com/SeldonIO/seldon-core/issues/2811)
- Helm failing to fetch https://kubernetes-charts.storage.googleapis.com/ resulting in failing tests [\#2808](https://github.com/SeldonIO/seldon-core/issues/2808)
- send\_feedback response is incorrectly managed in seldon\_methods.py [\2801](https://github.com/SeldonIO/seldon-core/issues/2801)
- Upgrading to 1.5.0 causes unexpected error when calling predict endpoint of Python custom model [\2786](https://github.com/SeldonIO/seldon-core/issues/2786)
- SHAP Breaks Alibi Detect on Python 3.6 due to unpinned Numpy dependency [\2767](https://github.com/SeldonIO/seldon-core/issues/2767)
- Error when using the R language wrapper [\2744](https://github.com/SeldonIO/seldon-core/issues/2744)
- Transformers model unable to run with Cuda [\2680](https://github.com/SeldonIO/seldon-core/issues/2680)
- Allow seldon manager to run as non-root [\2631](https://github.com/SeldonIO/seldon-core/issues/2631)
- Operator sets HTTPS on the Engine's liveness and ready checks [\2586](https://github.com/SeldonIO/seldon-core/issues/2586)
- high memory and cpu usage in deployment of xgboost rest [\1986](https://github.com/SeldonIO/seldon-core/issues/1986)

**Security fixes:**

- Resolve CVE for PyYAML - CVE-2020-14343 [\2252](https://github.com/SeldonIO/seldon-core/issues/2252)

**Closed issues:**

- CVE checks update for redhat image scans [\2869](https://github.com/SeldonIO/seldon-core/issues/2869)
- Does Seldon Batch Processing Work with Azure Blob Storage? [\2858](https://github.com/SeldonIO/seldon-core/issues/2858)
- Update engine docs as deprecated [\2840](https://github.com/SeldonIO/seldon-core/issues/2840)
- Support V2 Protocol in outlier and drift detectors [\2831](https://github.com/SeldonIO/seldon-core/issues/2831)
- add example of batch processor with rclone [\2819](https://github.com/SeldonIO/seldon-core/issues/2819)
- Add example of custom init container with rclone [\2818](https://github.com/SeldonIO/seldon-core/issues/2818)
- remove mutating webhook [\2817](https://github.com/SeldonIO/seldon-core/issues/2817)
- Handle KFServing V2 Protocol in request logger [\2791](https://github.com/SeldonIO/seldon-core/issues/2791)
- Create 1.5.1 release with cherrypick [\2756](https://github.com/SeldonIO/seldon-core/issues/2756)
- Use f-strings in MAB study case examples [\2729](https://github.com/SeldonIO/seldon-core/issues/2729)
- helm chart imagePullSecrets support to bypass ratelimiting [\2694](https://github.com/SeldonIO/seldon-core/issues/2694)
- Seldon-core-operator Update for handling namespace [\2676](https://github.com/SeldonIO/seldon-core/issues/2676)
- docs: No Release Highlights since 1.1.0 [\2634](https://github.com/SeldonIO/seldon-core/issues/2634)
- Depricate engine \(old Java service orchestrator\) [\2588](https://github.com/SeldonIO/seldon-core/issues/2588)
- Add support for Datadog Tracing in the Executor and the Python Wrapper [\2436](https://github.com/SeldonIO/seldon-core/issues/2436)
- Multi\_Archtecture Support [\2333](https://github.com/SeldonIO/seldon-core/issues/2333)
- Make deployment names configurable [\2301](https://github.com/SeldonIO/seldon-core/issues/2301)
- java-wrapper-0.2.0 jar is not checked for validity [\2180](https://github.com/SeldonIO/seldon-core/issues/2180)
- Stateful Model Serving by Saving state to Redis [\2138](https://github.com/SeldonIO/seldon-core/issues/2138)
- Add documentation on how to extend base prepackaged servers with new images \(xgboost, sklearn, etc\) [\2060](https://github.com/SeldonIO/seldon-core/issues/2060)
- Add documentation that dives into the iniContainer [\2055](https://github.com/SeldonIO/seldon-core/issues/2055)
- Multiplexing or parallel serving of gRPC / REST in Python Wrapper [\1968](https://github.com/SeldonIO/seldon-core/issues/1968)
- Allow globally configurable docker registry secret for seldon deployments [\1923](https://github.com/SeldonIO/seldon-core/issues/1923)
- Remove probesonly flag [\1856](https://github.com/SeldonIO/seldon-core/issues/1856)
- Use custom errors [\1841](https://github.com/SeldonIO/seldon-core/issues/1841)
- Allow mixed rest/grpc graphs in new golang based executor [\1820](https://github.com/SeldonIO/seldon-core/issues/1820)

**Merged pull requests:**

- yum update seemingly not needed for operator [\2918](https://github.com/SeldonIO/seldon-core/pull/2918) ([ryandawsonuk](https://github.com/ryandawsonuk))
- update licenses for 1.6.0 [\2916](https://github.com/SeldonIO/seldon-core/pull/2916) ([cliveseldon](https://github.com/cliveseldon))
- Update cuda version in wrapper Dockerfile.GPU [\2906](https://github.com/SeldonIO/seldon-core/pull/2906) ([ashrafgt](https://github.com/ashrafgt))
- Update Python Builder to use latest git for compatibility with github actions [\2894](https://github.com/SeldonIO/seldon-core/pull/2894) ([axsaucedo](https://github.com/axsaucedo))
- Github Action fixes [\2892](https://github.com/SeldonIO/seldon-core/pull/2892) ([axsaucedo](https://github.com/axsaucedo))
- 2252 resolve pyyaml cve [\2891](https://github.com/SeldonIO/seldon-core/pull/2891) ([axsaucedo](https://github.com/axsaucedo))
- Moving basic CI to github actions [\2889](https://github.com/SeldonIO/seldon-core/pull/2889) ([axsaucedo](https://github.com/axsaucedo))
- Generate helm-charts again to fix: Error: secrets "seldon-webhook-ser… [\2886](https://github.com/SeldonIO/seldon-core/pull/2886) ([RafalSkolasinski](https://github.com/RafalSkolasinski))
- updates for redhat scans [\2870](https://github.com/SeldonIO/seldon-core/pull/2870) ([ryandawsonuk](https://github.com/ryandawsonuk))
- Fix grpcPort and httpPort in v1 CRD [\2868](https://github.com/SeldonIO/seldon-core/pull/2868) ([cliveseldon](https://github.com/cliveseldon))
- Revert "Bump pandas from 1.1.0 to 1.2.0 in /python" [\2867](https://github.com/SeldonIO/seldon-core/pull/2867) ([adriangonz](https://github.com/adriangonz))
- Allow feedback for routers and update router examples [\2865](https://github.com/SeldonIO/seldon-core/pull/2865) ([cliveseldon](https://github.com/cliveseldon))
- Update Seldon versions for upgrade tests [\2861](https://github.com/SeldonIO/seldon-core/pull/2861) ([adriangonz](https://github.com/adriangonz))
- Deprecate Java engine [\2857](https://github.com/SeldonIO/seldon-core/pull/2857) ([adriangonz](https://github.com/adriangonz))
- Add engine deprecation note [\2856](https://github.com/SeldonIO/seldon-core/pull/2856) ([adriangonz](https://github.com/adriangonz))
- Manager running as non-root [\2853](https://github.com/SeldonIO/seldon-core/pull/2853) ([cliveseldon](https://github.com/cliveseldon))
- remove mutating webhook from Seldon Core Operator [\2852](https://github.com/SeldonIO/seldon-core/pull/2852) ([RafalSkolasinski](https://github.com/RafalSkolasinski))
- Bump pandas from 1.1.0 to 1.2.0 in /python [\2846](https://github.com/SeldonIO/seldon-core/pull/2846) ([dependabot-preview[bot]](https://github.com/apps/dependabot-preview))
- Rclone powered batch [\2842](https://github.com/SeldonIO/seldon-core/pull/2842) ([RafalSkolasinski](https://github.com/RafalSkolasinski))
- add hdfs example [\2841](https://github.com/SeldonIO/seldon-core/pull/2841) ([RafalSkolasinski](https://github.com/RafalSkolasinski))
- 2744 R Language Wrapper Fix for JSON requests [\2837](https://github.com/SeldonIO/seldon-core/pull/2837) ([axsaucedo](https://github.com/axsaucedo))
- Revert "Bump pandas from 1.1.0 to 1.2.0 in /python" [\2835](https://github.com/SeldonIO/seldon-core/pull/2835) ([axsaucedo](https://github.com/axsaucedo))
- Example: Pachyderm -\> Seldon-Core CD4ML [\2833](https://github.com/SeldonIO/seldon-core/pull/2833) ([philwinder](https://github.com/philwinder))
- Update Alibi Detect Server [\2832](https://github.com/SeldonIO/seldon-core/pull/2832) ([cliveseldon](https://github.com/cliveseldon))
- Update jaeger-client requirement from \<4.4.0,\>=4.1.0 to \>=4.1.0,\<4.5.0 in /python [\2828](https://github.com/SeldonIO/seldon-core/pull/2828) ([dependabot-preview[bot]](https://github.com/apps/dependabot-preview))
- fix nblink to include image of pachyderm example [\2820](https://github.com/SeldonIO/seldon-core/pull/2820) ([RafalSkolasinski](https://github.com/RafalSkolasinski))
- update triton tfserving example [\2815](https://github.com/SeldonIO/seldon-core/pull/2815) ([cliveseldon](https://github.com/cliveseldon))
- extend init containers documentation [\2814](https://github.com/SeldonIO/seldon-core/pull/2814) ([RafalSkolasinski](https://github.com/RafalSkolasinski))
- minor fix to pachyderm example \(doc paths\) [\2813](https://github.com/SeldonIO/seldon-core/pull/2813) ([RafalSkolasinski](https://github.com/RafalSkolasinski))
- Bump pillow from 8.0.1 to 8.1.0 in /python [\2810](https://github.com/SeldonIO/seldon-core/pull/2810) ([dependabot-preview[bot]](https://github.com/apps/dependabot-preview))
- Helm chart repo fix for integration tests [\2809](https://github.com/SeldonIO/seldon-core/pull/2809) ([axsaucedo](https://github.com/axsaucedo))
- Fix send\_feedback response wrongly wrapped as ndarray [\2807](https://github.com/SeldonIO/seldon-core/pull/2807) ([frr-ndr](https://github.com/frr-ndr))
- Bump pandas from 1.1.0 to 1.2.0 in /python [\2804](https://github.com/SeldonIO/seldon-core/pull/2804) ([dependabot-preview[bot]](https://github.com/apps/dependabot-preview))
- Update request logger to support v2 protocol [\2802](https://github.com/SeldonIO/seldon-core/pull/2802) ([cliveseldon](https://github.com/cliveseldon))
- Bump pytest from 6.2.0 to 6.2.1 in /python [\2797](https://github.com/SeldonIO/seldon-core/pull/2797) ([dependabot-preview[bot]](https://github.com/apps/dependabot-preview))
- Bump tenacity from 6.2.0 to 6.3.1 in /python [\2796](https://github.com/SeldonIO/seldon-core/pull/2796) ([dependabot-preview[bot]](https://github.com/apps/dependabot-preview))
- Bump coverage from 5.3 to 5.3.1 in /python [\2795](https://github.com/SeldonIO/seldon-core/pull/2795) ([dependabot-preview[bot]](https://github.com/apps/dependabot-preview))
- Updated changelog for v1.5.1 [\2792](https://github.com/SeldonIO/seldon-core/pull/2792) ([axsaucedo](https://github.com/axsaucedo))
- Bump tensorflow from 1.15.4 to 2.4.0 in /testing/scripts [\2790](https://github.com/SeldonIO/seldon-core/pull/2790) ([dependabot[bot]](https://github.com/apps/dependabot))
- Bump tensorflow from 1.15.4 to 2.4.0 in /examples/explainers/imagenet/resources/transformer [\2789](https://github.com/SeldonIO/seldon-core/pull/2789) ([dependabot[bot]](https://github.com/apps/dependabot))
- Adds GRPCIO guards on tfserving-proxy server to fix version clash [\2788](https://github.com/SeldonIO/seldon-core/pull/2788) ([axsaucedo](https://github.com/axsaucedo))
- do not act on resources that have deletion timestamp set [\2782](https://github.com/SeldonIO/seldon-core/pull/2782) ([RafalSkolasinski](https://github.com/RafalSkolasinski))
- Bump github.com/onsi/gomega from 1.10.2 to 1.10.4 in /operator [\2778](https://github.com/SeldonIO/seldon-core/pull/2778) ([dependabot-preview[bot]](https://github.com/apps/dependabot-preview))
- Bump pytest from 6.1.2 to 6.2.0 in /python [\2772](https://github.com/SeldonIO/seldon-core/pull/2772) ([dependabot-preview[bot]](https://github.com/apps/dependabot-preview))
- Added f-strings in MAB study case examples [\2771](https://github.com/SeldonIO/seldon-core/pull/2771) ([midhun1998](https://github.com/midhun1998))
- Extending Alibi Detect Server to expose prometheus metrics for outliers [\2770](https://github.com/SeldonIO/seldon-core/pull/2770) ([axsaucedo](https://github.com/axsaucedo))
- updated black version to 20.8b1 [\2769](https://github.com/SeldonIO/seldon-core/pull/2769) ([zyxue](https://github.com/zyxue))
- Added workaround for alibi explainer image build [\2768](https://github.com/SeldonIO/seldon-core/pull/2768) ([axsaucedo](https://github.com/axsaucedo))
- feat\(examples/pachyderm-simple\): Update and improve Pachyderm example [\2764](https://github.com/SeldonIO/seldon-core/pull/2764) ([philwinder](https://github.com/philwinder))
- Allow Namespace Override for seldon-core-operator [\2762](https://github.com/SeldonIO/seldon-core/pull/2762) ([ntorba](https://github.com/ntorba))
- Update Timeouts Notebook [\2753](https://github.com/SeldonIO/seldon-core/pull/2753) ([cliveseldon](https://github.com/cliveseldon))
- Revert "Add security context to seldon-controller-manager deployment" [\2752](https://github.com/SeldonIO/seldon-core/pull/2752) ([cliveseldon](https://github.com/cliveseldon))
- Bump grpcio-reflection from 1.33.2 to 1.34.0 in /python [\2749](https://github.com/SeldonIO/seldon-core/pull/2749) ([dependabot-preview[bot]](https://github.com/apps/dependabot-preview))
- Update image make minio client compatible with ssl cert mismatch and add delete step [\2746](https://github.com/SeldonIO/seldon-core/pull/2746) ([omerfsen](https://github.com/omerfsen))
- Update licenses [\2743](https://github.com/SeldonIO/seldon-core/pull/2743) ([cliveseldon](https://github.com/cliveseldon))
- Redhat 1.5.0 release [\2739](https://github.com/SeldonIO/seldon-core/pull/2739) ([cliveseldon](https://github.com/cliveseldon))
- add python wrapper developer notes [\2738](https://github.com/SeldonIO/seldon-core/pull/2738) ([RafalSkolasinski](https://github.com/RafalSkolasinski))
- Update OWNERS\_ALIASES [\2733](https://github.com/SeldonIO/seldon-core/pull/2733) ([axsaucedo](https://github.com/axsaucedo))
- Update OWNERS [\2732](https://github.com/SeldonIO/seldon-core/pull/2732) ([axsaucedo](https://github.com/axsaucedo))

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

CRITICAL 9.8

CVSS v3 Details

CRITICAL 9.8

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): HIGH
Integrity Impact (I): HIGH
Availability Availability (A): HIGH

CVSS v2 Details

HIGH 7.5

Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (Au): NONE
Confidentiality Impact (C): PARTIAL
Integrity Impact (I): PARTIAL
Availability Impact (A): PARTIAL