Skip to content

[GHSA-6757-jp84-gxfx] Improper Input Validation in PyYAML#4942

Merged
advisory-database[bot] merged 1 commit into
amita-seal/advisory-improvement-4942from
amita-seal-GHSA-6757-jp84-gxfx
Oct 31, 2024
Merged

[GHSA-6757-jp84-gxfx] Improper Input Validation in PyYAML#4942
advisory-database[bot] merged 1 commit into
amita-seal/advisory-improvement-4942from
amita-seal-GHSA-6757-jp84-gxfx

Conversation

@amita-seal
Copy link
Copy Markdown

@amita-seal amita-seal commented Oct 27, 2024

Updates

  • Affected products
  • CVSS v3

Comments
CVE is only relevant since version 5.1b1, see snyk as reference.

@github-actions github-actions Bot changed the base branch from main to amita-seal/advisory-improvement-4942 October 27, 2024 08:35
@darakian
Copy link
Copy Markdown
Contributor

darakian commented Oct 28, 2024

Looking at the redhat bug report there's a claim that the first affected version is 5.1
https://bugzilla.redhat.com/show_bug.cgi?id=1807367#c2
They call out the class FullLoader as the affected component
the fix we have on record seems to show FullConstructor as the class being altered
yaml/pyyaml@5080ba5
Digging in a bit it seems that FullLoader and FullConstructor both came into existence on
yaml/pyyaml@0cedb2a

Which has the tag 5.1b7 rather than 5.1b1. Where does 5.1b1 come from?

@amita-seal
Copy link
Copy Markdown
Author

amita-seal commented Oct 29, 2024

I think you're correct and the range should start at 5.1b7.

@amita-seal
Copy link
Copy Markdown
Author

amita-seal commented Oct 31, 2024

Hi @darakian
If we agree can you merge this?

Thanks!

@advisory-database advisory-database Bot merged commit f406ec0 into amita-seal/advisory-improvement-4942 Oct 31, 2024
@advisory-database
Copy link
Copy Markdown
Contributor

advisory-database Bot commented Oct 31, 2024

Hi @amita-seal! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@advisory-database advisory-database Bot deleted the amita-seal-GHSA-6757-jp84-gxfx branch October 31, 2024 16:17
@darakian
Copy link
Copy Markdown
Contributor

darakian commented Oct 31, 2024

Sorry about the delay. I got a little tied up at github universe the last two days. We should be good now 👍

This was referenced Aug 22, 2025
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
This was referenced Aug 26, 2025
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@alee-dependabot-alert-reader alee-dependabot-alert-reader Bot mentioned this pull request Sep 4, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@amita-seal @darakian