CVE-2020-1747

Priority
Description
A vulnerability was discovered in the PyYAML library in versions before
5.3.1, where it is susceptible to arbitrary code execution when it
processes untrusted YAML files through the full_load method or with the
FullLoader loader. Applications that use the library to process untrusted
input may be vulnerable to this flaw. An attacker could use this flaw to
execute arbitrary code on the system by abusing the python/object/new
constructor.
Notes
mdeslaurFullLoader was introduced in 5.1. FullLoader should not be used
on untrusted input, setting priority to low.
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):not-affected (code not present)
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (code not present)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (code not present)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (code not present)
Ubuntu 20.04 LTS (Focal Fossa):not-affected (5.3-2)
Ubuntu 20.10 (Groovy Gorilla):not-affected (5.3-2)
More Information

Updated: 2020-09-10 06:36:52 UTC (commit 81a23a978c4436cd99e1d040e9e73e9146876281)