View all vulnerabilities

CVE-2019-20477

Deserialization of Untrusted Data in PyYAML

PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading
Vulnerability Details
Score
9.8
Score Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Versions
pyyaml >= 5.1 < 5.2
Severity
Ecosystem
Python
Publish Date
April 20, 2021
Modified Date
October 25, 2024