CVE-2017-18342

Advisory

[This advisory has been limited. Please create a free account to view the full advisory.]

Affected package

Affected versions

[This affected versions has been limited. Please create a free account to view the full affected versions.]

Fixed versions

[This fixed versions has been limited. Please create a free account to view the full fixed versions.]

Vulnerability changelog

Fixed:
- Changed `Files.new_data_source()` to use `yaml.safe_load()` instead of `yaml.load()` for YAML/JSON test data parsing. This disables `pyyaml` extended syntax features that could allow arbitrary code execution. ([136](https://github.com/launchdarkly/python-server-sdk/issues/136))

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342
• https://github.com/yaml/pyyaml/pull/74
• https://github.com/yaml/pyyaml/blob/master/CHANGES
• https://lists.fedoraproject.org/archives/list/[email protected]/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/
• https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
• https://github.com/marshmallow-code/apispec/issues/278
• https://github.com/yaml/pyyaml/issues/193
• https://security.gentoo.org/glsa/202003-45