PT-2014-2163 · Django · Django Tastypie
Daveyss
·
Publicado
2014-10-27
·
Atualizado
2022-05-14
·
CVE-2011-4104
CVSS v4.0
9.3
Crítica
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Django Tastypie versions prior to 0.9.10
Description
The issue concerns the improper deserialization of YAML data by the
from yaml method in serializers.py, allowing remote attackers to execute arbitrary Python code via vectors related to the yaml.load method.Recommendations
For versions prior to 0.9.10, update to version 0.9.10 or later to resolve the issue. As a temporary workaround, consider disabling the
from yaml method until a patch is available. Restrict access to the yaml.load method to minimize the risk of exploitation.Correção
Deserialization of Untrusted Data
RCE
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Django Tastypie