Pyyaml
By the Year
In 2024 there have been 0 vulnerabilities in Pyyaml . Pyyaml did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2024 | 0 | 0.00 |
| 2023 | 0 | 0.00 |
| 2022 | 0 | 0.00 |
| 2021 | 1 | 9.80 |
| 2020 | 2 | 9.80 |
| 2019 | 0 | 0.00 |
| 2018 | 1 | 9.80 |
It may take a day or so for new Pyyaml vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Pyyaml Security Vulnerabilities
A vulnerability was discovered in the PyYAML library in versions before 5.4
CVE-2020-14343
9.8 - Critical
- February 09, 2021
A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.
Improper Input Validation
A vulnerability was discovered in the PyYAML library in versions before 5.3.1
CVE-2020-1747
9.8 - Critical
- March 24, 2020
A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.
Improper Input Validation
PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g
CVE-2019-20477
9.8 - Critical
- February 19, 2020
PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.
Marshaling, Unmarshaling
In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data
CVE-2017-18342
9.8 - Critical
- June 27, 2018
In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.
Improper Input Validation
