CVE-2020-14343 - log back

CVE-2020-14343 edited at 17 Mar 2021 10:49:01
References
https://bugzilla.redhat.com/show_bug.cgi?id=1860466
https://github.com/yaml/pyyaml/issues/420
https://github.com/yaml/pyyaml/pull/472
- https://github.com/yaml/pyyaml/commit/7adc0db3f613a82669f2b168edd98379b83adb3c
+ https://github.com/yaml/pyyaml/commit/a001f2782501ad2d24986959f0239a354675f9dc
CVE-2020-14343 edited at 09 Feb 2021 22:38:13
Description
- A vulnerability was discovered in the PyYAML library, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.
+ A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.
CVE-2020-14343 edited at 16 Jan 2021 09:06:13
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Local
Type
- Unknown
+ Arbitrary code execution
Description
+ A vulnerability was discovered in the PyYAML library, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.
References
+ https://bugzilla.redhat.com/show_bug.cgi?id=1860466
+ https://github.com/yaml/pyyaml/issues/420
+ https://github.com/yaml/pyyaml/pull/472
+ https://github.com/yaml/pyyaml/commit/7adc0db3f613a82669f2b168edd98379b83adb3c
Notes
CVE-2020-14343 created at 16 Jan 2021 09:03:28