CVE-2011-4103: Input Validation

First published: Tue Nov 01 2011(Updated: )

A flaw in Piston, a popular REST API framework for Django, was reported [1] in how it handles de-serialization of YAML post data. It uses the yaml.load method, which is unsafe and in certain circumstances could be used to allow remote execution of arbitrary code. The updated versions of Piston (0.2.3 and 0.2.2.1) correctly use the yaml.safe_load method which prevents remote code execution. This does not affect Django itself, but any users who have installed and use the django-piston package on Fedora may be vulnerable. The upstream patch [2] is in git. [1] <a href="https://www.djangoproject.com/weblog/2011/nov/01/piston-and-tastypie-security-releases/">https://www.djangoproject.com/weblog/2011/nov/01/piston-and-tastypie-security-releases/</a> [2] <a href="https://bitbucket.org/jespern/django-piston/changeset/91bdaec89543">https://bitbucket.org/jespern/django-piston/changeset/91bdaec89543</a>

Credit: secalert@redhat.com secalert@redhat.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/nvd-historical
• collector/nvd-index
• agent/author
• agent/type
• agent/first-publish-date
• collector/mitre-cve
• source/MITRE
• agent/remedy
• agent/weakness
• agent/description
• collector/redhat-bugzilla
• source/Red Hat
• alias/CVE-2011-4103
• collector/github-advisory-latest
• source/GitHub
• alias/GHSA-pvhp-v9qp-xf5r
• agent/software-canonical-lookup
• agent/last-modified-date
• agent/severity
• agent/references
• agent/tags
• agent/event
• collector/nvd-cve
• source/NVD
• agent/softwarecombine
• collector/github-advisory
• vendor/djangoproject
• canonical/djangoproject piston
• version/djangoproject piston/0.2.2.0
• package-manager/pip