CVE-2017-18342
Public on 2018-06-27
Modified on 2024-04-30
Description
In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.
---
Amazon is aware of CVE-2017-18342. The versions of PyYAML for Amazon Linux 1 and Amazon Linux 2 are affected. To address this issue, PyYAML changed the behavior of the yaml.load() function to mimic yaml.safe_load(), which had the potential to break applications calling this function. To avoid breaking applications running on Amazon Linux 1 and Amazon Linux 2 that consume PyYAML, we are not addressing this CVE. To mitigate this issue, applications must be modified to use yaml.safe_load() instead of the affected yaml.load() method.
---
Amazon is aware of CVE-2017-18342. The versions of PyYAML for Amazon Linux 1 and Amazon Linux 2 are affected. To address this issue, PyYAML changed the behavior of the yaml.load() function to mimic yaml.safe_load(), which had the potential to break applications calling this function. To avoid breaking applications running on Amazon Linux 1 and Amazon Linux 2 that consume PyYAML, we are not addressing this CVE. To mitigate this issue, applications must be modified to use yaml.safe_load() instead of the affected yaml.load() method.
Severity
Important
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | PyYAML | No Fix Planned | ||
| Amazon Linux 2023 | PyYAML | Not Affected | ||
| Amazon Linux 1 | python-PyYAML | No Fix Planned | ||
| Amazon Linux 2 - Awscli1 Extra | python3-PyYAML | No Fix Planned |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| NVD | CVSSv2 | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
| NVD | CVSSv3 | 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |