[GHSA-6757-jp84-gxfx] Improper Input Validation in PyYAML

github / advisory-database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Creative Commons Attribution 4.0 International

1.75k stars 336 forks source link

[GHSA-6757-jp84-gxfx] Improper Input Validation in PyYAML #4942

Closed amita-seal closed 1 month ago

amita-seal commented 1 month ago

Updates

Affected products
CVSS v3

Comments CVE is only relevant since version 5.1b1, see snyk as reference.

darakian commented 1 month ago

Looking at the redhat bug report there's a claim that the first affected version is 5.1 https://bugzilla.redhat.com/show_bug.cgi?id=1807367#c2 They call out the class FullLoader as the affected component the fix we have on record seems to show FullConstructor as the class being altered https://github.com/yaml/pyyaml/commit/5080ba513377b6355a0502104846ee804656f1e0 Digging in a bit it seems that FullLoader and FullConstructor both came into existence on https://github.com/yaml/pyyaml/commit/0cedb2a0697b2bc49e4f3841b8d4590b6b15657e

Which has the tag 5.1b7 rather than 5.1b1. Where does 5.1b1 come from?

amita-seal commented 1 month ago

I think you're correct and the range should start at 5.1b7.

amita-seal commented 1 month ago

Hi @darakian If we agree can you merge this?

Thanks!

advisory-database[bot] commented 1 month ago

Hi @amita-seal! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

darakian commented 1 month ago

Sorry about the delay. I got a little tied up at github universe the last two days. We should be good now 👍