Critical severityNVD Advisory· Published Feb 19, 2020· Updated Aug 5, 2024
CVE-2019-20477
CVE-2019-20477
Description
PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pyyamlPyPI | >= 5.1, < 5.2 | 5.2 |
Affected products
18- PyYAML/PyYAMLdescription
- ghsa-coords17 versionspkg:pypi/pyyamlpkg:rpm/almalinux/python38-asn1cryptopkg:rpm/almalinux/python38-cffipkg:rpm/almalinux/python38-chardetpkg:rpm/almalinux/python38-cryptographypkg:rpm/almalinux/python38-Cythonpkg:rpm/almalinux/python38-idnapkg:rpm/almalinux/python38-markupsafepkg:rpm/almalinux/python38-mod_wsgipkg:rpm/almalinux/python38-psycopg2pkg:rpm/almalinux/python38-psycopg2-docpkg:rpm/almalinux/python38-psycopg2-testspkg:rpm/almalinux/python38-pycparserpkg:rpm/almalinux/python38-pysockspkg:rpm/almalinux/python38-pytzpkg:rpm/almalinux/python38-requestspkg:rpm/almalinux/python38-scipy
>= 5.1, < 5.2+ 16 more
- (no CPE)range: >= 5.1, < 5.2
- (no CPE)range: < 1.2.0-3.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 1.13.2-3.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 3.0.4-19.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 2.8-3.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 0.29.14-4.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 2.8-6.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 1.1.1-6.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 4.6.8-3.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 2.8.4-4.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 2.8.4-4.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 2.8.4-4.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 2.19-3.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 1.7.1-4.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 2019.3-3.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 2.22.0-9.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 1.3.1-4.module_el8.6.0+2778+cd494b30
Patches
Vulnerability mechanics
References
9- github.com/advisories/GHSA-3pqx-4fqf-j49fghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33VBUY73AA6CTTYL3LRWHNFDULV7PFPN/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/52N5XS73Z5S4ZN7I7R56ICCPCTKCUV4H/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2019-20477ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/pyyaml/PYSEC-2020-176.yamlghsaWEB
- github.com/yaml/pyyaml/blob/master/CHANGESghsax_refsource_MISCWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/33VBUY73AA6CTTYL3LRWHNFDULV7PFPNghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/52N5XS73Z5S4ZN7I7R56ICCPCTKCUV4HghsaWEB
- www.exploit-db.com/download/47655ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.