CVE-2020-1747: Input Validation
First published: Wed Feb 26 2020(Updated: )
A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Pyyaml Pyyaml | >=5.1<5.3.1 | |
| Fedoraproject Fedora | =30 | |
| Fedoraproject Fedora | =31 | |
| Fedoraproject Fedora | =32 | |
| Fedoraproject Fedora | =33 | |
| openSUSE Leap | =15.1 | |
| Oracle Communications Cloud Native Core Network Function Cloud Native Environment | =22.1.0 | |
| redhat/PyYAML | <5.3.1 | 5.3.1 |
| pip/pyyaml | >=5.1b7<5.3.1 | 5.3.1 |
Remedy
Use `yaml.safe_load` or the SafeLoader loader when you parse untrusted input.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2020-1747
- https://github.com/yaml/pyyaml/pull/386
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7PPAS6C4SZRDQLR7C22A5U3QOLXY33JX/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MMQXSZXNJT6ERABJZAAICI3DQSQLCP3D/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/yaml/pyyaml/commit/5080ba513377b6355a0502104846ee804656f1e0
- https://github.com/advisories/GHSA-6757-jp84-gxfx (Advisory)
- https://www.cve.org/CVERecord?id=CVE-2020-1747 https://nvd.nist.gov/vuln/detail/CVE-2020-1747
- https://bugzilla.redhat.com/show_bug.cgi?id=1807367
- https://access.redhat.com/errata/RHSA-2020:4641
- https://access.redhat.com/security/cve/CVE-2020-1747
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1809011
- https://access.redhat.com/security/cve/cve-2020-1747
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MMQXSZXNJT6ERABJZAAICI3DQSQLCP3D/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7PPAS6C4SZRDQLR7C22A5U3QOLXY33JX/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/178416
- https://www.ibm.com/support/pages/node/6346922 (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/pyyaml/PYSEC-2020-96.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7PPAS6C4SZRDQLR7C22A5U3QOLXY33JX
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MMQXSZXNJT6ERABJZAAICI3DQSQLCP3D
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2
- https://github.com/github/advisory-database/pull/4942
- https://github.com/yaml/pyyaml/commit/0cedb2a0697b2bc49e4f3841b8d4590b6b15657e
Frequently Asked Questions
What is CVE-2020-1747?
CVE-2020-1747 is a vulnerability in the PyYAML library that can allow a remote attacker to execute arbitrary code on the system.
What is the severity level of CVE-2020-1747?
CVE-2020-1747 has a severity level of critical.
How does CVE-2020-1747 affect PyYAML?
CVE-2020-1747 affects PyYAML versions before 5.3.1.
How can an attacker exploit CVE-2020-1747?
An attacker can exploit CVE-2020-1747 by processing untrusted YAML files through the full_load method or with the FullLoader loader.
How can I fix CVE-2020-1747?
To fix CVE-2020-1747, update PyYAML to version 5.3.1 or later.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/author
- agent/first-publish-date
- agent/severity
- agent/remedy
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-1747
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- collector/ibm-support
- source/IBM
- agent/event
- collector/nvd-cve
- source/NVD
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-6757-jp84-gxfx
- agent/last-modified-date
- agent/references
- agent/softwarecombine
- agent/tags
- collector/github-advisory
- vendor/pyyaml
- canonical/pyyaml pyyaml
- version/pyyaml pyyaml/5.1
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/30
- version/fedoraproject fedora/31
- version/fedoraproject fedora/32
- version/fedoraproject fedora/33
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.1
- vendor/oracle
- canonical/oracle communications cloud native core network function cloud native environment
- version/oracle communications cloud native core network function cloud native environment/22.1.0
- package-manager/redhat
- package-manager/pip