Safety vulnerability ID: 36496
The information on this page was manually curated by our Cybersecurity Intelligence Team.
[This advisory has been limited. Please create a free account to view the full advisory.]
Latest version: 4.1.2
A lightweight library for converting complex datatypes to and from native Python datatypes.
[This affected versions has been limited. Please create a free account to view the full affected versions.]
[This fixed versions has been limited. Please create a free account to view the full fixed versions.]
In the marshmallow library before 2.15.1 and 3.x before 3.0.0b9 for Python, the schema "only" option treats an empty list as implying no "only" option, which allows a request that was intended to expose no fields to instead expose all fields (if the schema is being filtered dynamically using the "only" option, and there is a user role that produces an empty value for "only").
MISC:https://github.com/marshmallow-code/marshmallow/issues/772: https://github.com/marshmallow-code/marshmallow/issues/772
MISC:https://github.com/marshmallow-code/marshmallow/pull/777: https://github.com/marshmallow-code/marshmallow/pull/777
MISC:https://github.com/marshmallow-code/marshmallow/pull/782: https://github.com/marshmallow-code/marshmallow/pull/782
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application