CVE-2019-20478
Public on 2020-02-19
Modified on 2024-07-30
Description
In ruamel.yaml through 0.16.7, the load method allows remote code execution if the application calls this method with an untrusted argument. In other words, this issue affects developers who are unaware of the need to use methods such as safe_load in these use cases.
AWS is aware of CVE-2019-20478. To address this issue, ruamel-yaml developers have deprecated [1] the top level yaml.load() function in favor of the default safe YAML.load() method. To avoid breaking applications running on Amazon Linux 2023 that consume ruamel-yaml, and since proper usage does not pose a risk to customers, this will not be fixed. To address this issue, applications should be modified to use yaml=YAML(typ='safe') or one of the other safe methods.
[1] https://yaml.readthedocs.io/en/latest/
AWS is aware of CVE-2019-20478. To address this issue, ruamel-yaml developers have deprecated [1] the top level yaml.load() function in favor of the default safe YAML.load() method. To avoid breaking applications running on Amazon Linux 2023 that consume ruamel-yaml, and since proper usage does not pose a risk to customers, this will not be fixed. To address this issue, applications should be modified to use yaml=YAML(typ='safe') or one of the other safe methods.
[1] https://yaml.readthedocs.io/en/latest/
Severity
Important
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2023 | python-ruamel-yaml | No Fix Planned | ||
| Amazon Linux 2023 | python-ruamel-yaml-clib | No Fix Planned |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| NVD | CVSSv3 | 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| NVD | CVSSv2 | 10.0 | AV:N/AC:L/Au:N/C:C/I:C/A:C |