CVE-2017-18342 — PyYAML insecurely deserializes YAML strings leading to arbitrary code execution

Description

In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.

How to fix CVE-2017-18342

To remediate CVE-2017-18342, upgrade the affected package to a fixed version below.

—upgrade to 5.1.2-1 or later
—upgrade to 4.1 or later
—upgrade to 5.1 or later

Is CVE-2017-18342 being exploited?

Low — EPSS is 4.8%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 5.1.2-1
from 0, < 4.1
from 0, < 5.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (18)

ADVISORYgithub.com/advisories/GHSA-rprw-h62v-c2w7
ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-18342
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2017-18342
PATCHgithub.com/yaml/pyyaml
WEB