CVE-2017-16615

Name of the Vulnerable Software and Affected Versions MLAlchemy versions prior to 0.2.2

Description A vulnerability exists in the YAML parsing functionality. When processing YAML-Based queries for data, a YAML parser can execute arbitrary Python commands, resulting in command execution. This occurs because the load function is used where safe load should have been used. An attacker can insert Python into loaded YAML to trigger this issue.

Recommendations For versions prior to 0.2.2, update to version 0.2.2 or later to resolve the issue. As a temporary workaround, consider modifying the parse yaml query method in parser.py to use safe load instead of load to prevent arbitrary command execution.