PT-2014-2163 · Django · Django Tastypie

Daveyss

Published

2014-10-27

Updated

2022-05-14

CVE-2011-4104

CVSS v4.0

9.3

Critical

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Django Tastypie versions prior to 0.9.10

Description The issue concerns the improper deserialization of YAML data by the from yaml method in serializers.py, allowing remote attackers to execute arbitrary Python code via vectors related to the yaml.load method.

Recommendations For versions prior to 0.9.10, update to version 0.9.10 or later to resolve the issue. As a temporary workaround, consider disabling the from yaml method until a patch is available. Restrict access to the yaml.load method to minimize the risk of exploitation.

Fix

Deserialization of Untrusted Data

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502CWE-20

Related Identifiers

CVE-2011-4104

GHSA-QGVW-QC2Q-GV5Q

PYSEC-2014-25

Affected Products

Django Tastypie

PT-2014-2163 · Django · Django Tastypie

CVE-2011-4104

Weakness Enumeration

Related Identifiers

Affected Products

References · 14