CVE-2011-4104
Summary
| CVE | CVE-2011-4104 |
|---|---|
| State | PUBLISHED |
| Assigner | redhat |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2014-10-27 01:55:23 UTC |
| Updated | 2026-05-06 22:30:45 UTC |
| Description | The from_yaml method in serializers.py in Django Tastypie before 0.9.10 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method. |
Risk And Classification
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
LowAuthentication
NoneConfidentiality
PartialIntegrity
PartialAvailability
PartialAV:N/AC:L/Au:N/C:P/I:P/A:P
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Djangoproject | Tastypie | All | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Safer loading of YAML. Thanks to daveyss for the report! · django-tastypie/django-tastypie@e8af315 · GitHub | af854a3a-2127-422b-91ae-364da2661108 | github.com | Patch |
| oss-security - Re: CVE request for Django-piston and Tastypie | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | Patch |
| oss-security - Re: Re: CVE request for Django-piston and Tastypie | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | |
| Google Groups | af854a3a-2127-422b-91ae-364da2661108 | groups.google.com | |
| Django | Weblog | Piston and Tastypie security releases issued | af854a3a-2127-422b-91ae-364da2661108 | www.djangoproject.com | Vendor Advisory |
| Google Groups | MITRE | groups.google.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 996737 Python (Pip) Security Update for django-tastypie (GHSA-qgvw-qc2q-gv5q)