PT-2018-13935 · Marshmallow Library+2 · Marshmallow+2
Ye
·
Published
2018-09-18
·
Updated
2026-04-30
·
CVE-2018-17175
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
marshmallow library versions prior to 2.15.1
marshmallow library versions 3.x prior to 3.0.0b9
Description
The issue arises from the schema "only" option in the marshmallow library, where an empty list is treated as if no "only" option was specified. This can lead to a request exposing all fields instead of none, under specific conditions involving dynamic filtering of the schema and user roles that produce empty values for the "only" option.
Recommendations
For versions prior to 2.15.1, update to version 2.15.1 or later to resolve the issue.
For versions 3.x prior to 3.0.0b9, update to version 3.0.0b9 or later to resolve the issue.
Fix
Improperly Implemented Security Check for Standard
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Linuxmint
Ubuntu
Marshmallow