PT-2014-2162 · Django · Django Tastypie+1

Published

2014-10-27

Updated

2018-07-23

CVE-2011-4103

CVSS v4.0

9.3

Critical

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Django Piston versions prior to 0.2.3 Django Piston versions 0.2.x prior to 0.2.2.1

Description The issue is related to the improper deserialization of YAML data in the emitters.py file, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method. A similar vulnerability exists in Django Tastypie.

Recommendations For Django Piston versions prior to 0.2.3, update to version 0.2.3 or later. For Django Piston versions 0.2.x prior to 0.2.2.1, update to version 0.2.2.1 or later.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2011-4103

DSA-2344-1

GHSA-PVHP-V9QP-XF5R

PYSEC-2014-24

Affected Products

Django Piston

Django Tastypie

PT-2014-2162 · Django · Django Tastypie+1

CVE-2011-4103

Weakness Enumeration

Related Identifiers

Affected Products

References · 11