Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GHSA-6757-jp84-gxfx] Improper Input Validation in PyYAML #4942

Merged
merged 1 commit into from
Oct 31, 2024
Merged

[GHSA-6757-jp84-gxfx] Improper Input Validation in PyYAML #4942

merged 1 commit into from
Oct 31, 2024

Conversation

amita-seal
Copy link

Updates

  • Affected products
  • CVSS v3

Comments
CVE is only relevant since version 5.1b1, see snyk as reference.

@github-actions github-actions bot changed the base branch from main to amita-seal/advisory-improvement-4942 October 27, 2024 08:35
@darakian
Copy link
Contributor

Looking at the redhat bug report there's a claim that the first affected version is 5.1
https://bugzilla.redhat.com/show_bug.cgi?id=1807367#c2
They call out the class FullLoader as the affected component
the fix we have on record seems to show FullConstructor as the class being altered
yaml/pyyaml@5080ba5
Digging in a bit it seems that FullLoader and FullConstructor both came into existence on
yaml/pyyaml@0cedb2a

Which has the tag 5.1b7 rather than 5.1b1. Where does 5.1b1 come from?

@amita-seal
Copy link
Author

I think you're correct and the range should start at 5.1b7.

@amita-seal
Copy link
Author

Hi @darakian
If we agree can you merge this?

Thanks!

@advisory-database advisory-database bot merged commit f406ec0 into amita-seal/advisory-improvement-4942 Oct 31, 2024
2 checks passed
@advisory-database
Copy link
Contributor

Hi @amita-seal! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@advisory-database advisory-database bot deleted the amita-seal-GHSA-6757-jp84-gxfx branch October 31, 2024 16:17
@darakian
Copy link
Contributor

Sorry about the delay. I got a little tied up at github universe the last two days. We should be good now 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@amita-seal @darakian