Medium severity5.3NVD Advisory· Published Sep 18, 2018· Updated Jun 17, 2026
CVE-2018-17175
CVE-2018-17175
Description
In the marshmallow library before 2.15.1 and 3.x before 3.0.0b9 for Python, the schema "only" option treats an empty list as implying no "only" option, which allows a request that was intended to expose no fields to instead expose all fields (if the schema is being filtered dynamically using the "only" option, and there is a user role that produces an empty value for "only").
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
marshmallowPyPI | < 2.15.1 | 2.15.1 |
marshmallowPyPI | >= 3.0a0, < 3.0.0b9 | 3.0.0b9 |
Affected products
2- ghsa-coords2 versions
< 2.15.1+ 1 more
- (no CPE)range: < 2.15.1
- (no CPE)range: < 3.20.2-2.2
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-9q2p-fj49-vpxjghsaADVISORY
- github.com/marshmallow-code/marshmallow/issues/772nvdIssue TrackingThird Party AdvisoryWEB
- github.com/marshmallow-code/marshmallow/pull/777nvdThird Party AdvisoryWEB
- github.com/marshmallow-code/marshmallow/pull/782nvdThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2018-17175ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/marshmallow/PYSEC-2018-67.yamlghsaWEB
News mentions
0No linked articles in our index yet.