CVE-2019-20477 (High) detected in PyYAML-5.1.2.tar.gz

[mend-bolt-for-github]

CVE-2019-20477 - High Severity Vulnerability

Vulnerable Library - PyYAML-5.1.2.tar.gz

YAML parser and emitter for Python

Library home page: https://files.pythonhosted.org/packages/e3/e8/b3212641ee2718d556df0f23f78de8303f068fe29cdaa7a91018849582fe/PyYAML-5.1.2.tar.gz

Path to dependency file: cortx-ha/jenkins/pyinstaller/v1/requirements.txt

Path to vulnerable library: cortx-ha/jenkins/pyinstaller/v1/requirements.txt,cortx-ha/jenkins/pyinstaller/v2/requirements.txt

Dependency Hierarchy:

• ❌ PyYAML-5.1.2.tar.gz (Vulnerable Library)

Found in HEAD commit: 489a85b33aee06bc85dc7f2b7c71262cada47dd9

Found in base branch: main

Vulnerability Details

PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.

Publish Date: 2020-02-19

URL: CVE-2019-20477

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20477

Release Date: 2020-02-19

Fix Resolution: 5.2

---

⛑️ Automatic Remediation is available for this issue

[stale]

This issue/pull request has been marked as needs attention as it has been left pending without new activity for 4 days. Tagging @indrajitzagade @ajaysrivas for appropriate assignment. Sorry for the delay & Thank you for contributing to CORTX. We will get back to you as soon as possible.

[stale]

This issue/pull request has been marked as needs attention as it has been left pending without new activity for 4 days. Tagging @indrajitzagade @ajaysrivas for appropriate assignment. Sorry for the delay & Thank you for contributing to CORTX. We will get back to you as soon as possible.

[stale]

This issue/pull request has been marked as needs attention as it has been left pending without new activity for 4 days. Tagging @indrajitzagade @ajaysrivas for appropriate assignment. Sorry for the delay & Thank you for contributing to CORTX. We will get back to you as soon as possible.

[cortx-admin]

Subhash Arya commented in Jira Server:

Duplicate of EOS-23696

[cortx-admin]

Subhash Arya commented in Jira Server:

.

[cortx-admin]

Swanand Gadre commented in Jira Server:

This bug is closing as duplicate of -> [EOS-23696] Upgrade PyYAML library from PyYAML-5.1.2.tar.gz to PyYAML 5.4.1 - JIRA NSS (seagate.com)

 

All the PyYAML library upgrade from 5.1.2 to 5.4.1 will be tracked thru -> [EOS-23696] Upgrade PyYAML library from PyYAML-5.1.2.tar.gz to PyYAML 5.4.1 - JIRA NSS (seagate.com)