oss-sec mailing list archives
CVE for PyYAML RCE-factory API
From: Alex Gaynor <alex.gaynor () gmail com>
Date: Tue, 26 Jun 2018 21:18:39 -0400
In releases of PyYAML < 4.1 using the `yaml.load()` API on untrusted input could lead to arbitrary code execution. Instead, users were advised to use the `yaml.safe_load()` API. Starting with the PyYAML 4.1 release, the `yaml.load()` API has been made safe-by-default. Users wishing to opt into the old behavior and produce RCEs (or who trust their input) can use the `yaml.danger_load`. Because of the degree to which this API presented a footgun, I would like to request a CVE for it. Alex -- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: D1B3 ADC0 E023 8CA6
Current thread:
- CVE for PyYAML RCE-factory API Alex Gaynor (Jun 26)
- Re: CVE for PyYAML RCE-factory API Seth Arnold (Jun 26)
- Re: CVE for PyYAML RCE-factory API Alex Gaynor (Jun 27)
- Re: CVE for PyYAML RCE-factory API Seth Arnold (Jun 26)