CVE-2019-20477
First published: Mon Nov 18 2019(Updated: )
A vulnerability was discovered in the PyYAML library, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/apply constructor.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Pyyaml Pyyaml | >=5.1<=5.1.2 | |
| Fedoraproject Fedora | =30 | |
| Fedoraproject Fedora | =31 | |
| redhat/pyYAML | <5.2 | 5.2 |
| pip/pyyaml | >=5.1<5.2 | 5.2 |
Remedy
Use `yaml.safe_load` or the SafeLoader loader when you parse untrusted input.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2019-20477 https://nvd.nist.gov/vuln/detail/CVE-2019-20477
- https://bugzilla.redhat.com/show_bug.cgi?id=1806005
- https://access.redhat.com/errata/RHSA-2020:4641
- https://access.redhat.com/errata/RHSA-2021:0420
- https://access.redhat.com/security/cve/cve-2019-20477
- https://github.com/yaml/pyyaml/blob/master/CHANGES
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/33VBUY73AA6CTTYL3LRWHNFDULV7PFPN/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/52N5XS73Z5S4ZN7I7R56ICCPCTKCUV4H/
- https://www.exploit-db.com/download/47655
- https://access.redhat.com/security/cve/CVE-2017-18342
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1806010
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1806011
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1806013
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1595743#c16
- https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
- https://github.com/yaml/pyyaml/pull/347
- https://github.com/yaml/pyyaml/commit/8c5e47fe62d7b9e0282a176a4b79b8b2980dc704
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/52N5XS73Z5S4ZN7I7R56ICCPCTKCUV4H/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33VBUY73AA6CTTYL3LRWHNFDULV7PFPN/
- https://nvd.nist.gov/vuln/detail/CVE-2019-20477
- https://github.com/advisories/GHSA-3pqx-4fqf-j49f (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/pyyaml/PYSEC-2020-176.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/33VBUY73AA6CTTYL3LRWHNFDULV7PFPN
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/52N5XS73Z5S4ZN7I7R56ICCPCTKCUV4H
Frequently Asked Questions
What is CVE-2019-20477?
CVE-2019-20477 is a vulnerability in the PyYAML library that allows arbitrary code execution when processing untrusted YAML files.
What software versions are affected by CVE-2019-20477?
PyYAML versions 5.1 through 5.1.2 are affected by CVE-2019-20477.
How severe is CVE-2019-20477?
CVE-2019-20477 has a severity rating of 9.8 (Critical).
How can I fix CVE-2019-20477?
To fix CVE-2019-20477, upgrade to PyYAML version 5.2.
Where can I find more information about CVE-2019-20477?
You can find more information about CVE-2019-20477 at the following references: [Link 1](https://access.redhat.com/security/cve/CVE-2017-18342), [Link 2](https://github.com/yaml/pyyaml/blob/master/CHANGES), [Link 3](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1806010).
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/severity
- agent/remedy
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-20477
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/description
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-3pqx-4fqf-j49f
- agent/softwarecombine
- agent/last-modified-date
- agent/references
- agent/event
- collector/nvd-cve
- source/NVD
- agent/author
- agent/tags
- collector/github-advisory
- vendor/pyyaml
- canonical/pyyaml pyyaml
- version/pyyaml pyyaml/5.1
- version/pyyaml pyyaml/5.1.2
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/30
- version/fedoraproject fedora/31
- package-manager/redhat
- package-manager/pip