CVE-2020-14343

CVSS v3.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions PyYAML versions prior to 5.4

Description A flaw in the PyYAML library allows for arbitrary code execution when processing untrusted YAML files through the full load method or with the FullLoader loader. This issue enables an attacker to execute arbitrary code on the system by exploiting the python/object/new constructor. The vulnerability is due to incomplete input validation when handling untrusted input, which can be exploited by a remote attacker using a specially crafted file.

Recommendations For versions prior to 5.4, consider avoiding the use of the full load method or the FullLoader loader when processing untrusted YAML files until a patch is available. As a temporary workaround, restrict the processing of untrusted input to minimize the risk of exploitation.

Exploit

Fix

Use After Free

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-416CWE-20

Related Identifiers

ALSA-2021:2583

ALSA-2021_2583

ALT-PU-2021-1521

ALT-PU-2021-1534

AZL-31782

BDU:2021-03488

BDU:2023-05108

CESA-2021_2583

CVE-2020-14343

GHSA-8Q59-Q68H-6HV4

MGASA-2021-0119

OESA-2021-1257

OPENSUSE-SU-2024:11108-1

OPENSUSE-SU-2024:11210-1

OPENSUSE-SU-2024:14089-1

PYSEC-2021-142

RHSA-2021:2583

RHSA-2021:4702

RHSA-2021_2583

RLSA-2021:2583

SUSE-FU-2022:0444-1

SUSE-FU-2022:0445-1

SUSE-RU-2021:0985-1

SUSE-SU-2021:2818-1

SUSE-SU-2021_2818-1

SUSE-SU-2022:2841-1

SUSE-SU-2022:3231-1

SUSE-SU-2022_2841-1

SUSE-SU-2022_3231-1

USN-4940-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Linuxmint

Pyyaml

Red Hat

Rocky Linux

Suse

Ubuntu

CVE-2020-14343

Weakness Enumeration

Related Identifiers

Affected Products

References · 95