FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

py-yaml -- arbitrary code execution

Affected packages
py27-yaml < 4.1
py35-yaml < 4.1
py36-yaml < 4.1
py37-yaml < 4.1

Details

VuXML ID f6ea18bb-65b9-11e9-8b31-002590045d9c
Discovery 2018-06-27
Entry 2019-04-23

pyyaml reports:

the PyYAML.load function could be easily exploited to call any Python function. That means it could call any system command using os.system()

References

CVE Name CVE-2017-18342
URL https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342
URL https://github.com/yaml/pyyaml/pull/74