{"api_version":"1","generated_at":"2026-04-23T04:09:30+00:00","cve":"CVE-2017-18342","urls":{"html":"https://cve.report/CVE-2017-18342","api":"https://cve.report/api/cve/CVE-2017-18342.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2017-18342","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2017-18342"},"summary":{"title":"CVE-2017-18342","description":"In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2018-06-27 12:29:00","updated_at":"2023-11-07 02:41:00"},"problem_types":["CWE-502"],"metrics":[],"references":[{"url":"https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load%28input%29-Deprecation","name":"https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load%28input%29-Deprecation","refsource":"","tags":[],"title":"PyYAML yaml.load(input) Deprecation · yaml/pyyaml Wiki · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/","name":"FEDORA-2019-44643e8bcb","refsource":"FEDORA","tags":["Third Party Advisory"],"title":"[SECURITY] Fedora 30 Update: PyYAML-5.1-1.fc30 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/202003-45","name":"GLSA-202003-45","refsource":"GENTOO","tags":["Third Party Advisory"],"title":"PyYAML: Arbitrary code execution (GLSA 202003-45) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/yaml/pyyaml/blob/master/CHANGES","name":"https://github.com/yaml/pyyaml/blob/master/CHANGES","refsource":"MISC","tags":["Release Notes","Third Party Advisory"],"title":"pyyaml/CHANGES at master · yaml/pyyaml · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/","name":"FEDORA-2019-bed9afe622","refsource":"FEDORA","tags":["Third Party Advisory"],"title":"[SECURITY] Fedora 29 Update: PyYAML-5.1-1.fc29 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/","name":"FEDORA-2019-779a9db46a","refsource":"","tags":[],"title":"[SECURITY] Fedora 28 Update: PyYAML-5.1-1.fc28 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/","name":"FEDORA-2019-bed9afe622","refsource":"","tags":[],"title":"[SECURITY] Fedora 29 Update: PyYAML-5.1-1.fc29 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/marshmallow-code/apispec/issues/278","name":"https://github.com/marshmallow-code/apispec/issues/278","refsource":"MISC","tags":["Third Party Advisory"],"title":"Use 'yaml.safe_load' in 'load_yaml_from_docstring' · Issue #278 · marshmallow-code/apispec · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/","name":"FEDORA-2019-44643e8bcb","refsource":"","tags":[],"title":"[SECURITY] Fedora 30 Update: PyYAML-5.1-1.fc30 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/yaml/pyyaml/issues/193","name":"https://github.com/yaml/pyyaml/issues/193","refsource":"MISC","tags":["Third Party Advisory"],"title":"PyYAML 4.2 Release Plan · Issue #193 · yaml/pyyaml · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/","name":"FEDORA-2019-779a9db46a","refsource":"FEDORA","tags":["Third Party Advisory"],"title":"[SECURITY] Fedora 28 Update: PyYAML-5.1-1.fc28 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation","name":"https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation","refsource":"MISC","tags":["Third Party Advisory"],"title":"PyYAML yaml.load(input) Deprecation · yaml/pyyaml Wiki · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/yaml/pyyaml/pull/74","name":"https://github.com/yaml/pyyaml/pull/74","refsource":"MISC","tags":["Patch","Third Party Advisory"],"title":"Make pyyaml safe by default. by alex · Pull Request #74 · yaml/pyyaml · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2017-18342","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18342","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2017","cve_id":"18342","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"28","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"18342","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"29","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"18342","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"30","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"18342","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"28","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"18342","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"29","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"18342","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"30","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"18342","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"pyyaml","cpe5":"pyyaml","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"18342","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"pyyaml","cpe5":"pyyaml","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2017-18342","qid":"159768","title":"Oracle Enterprise Linux Security Update for ol-automation-manager (ELSA-2022-9341)"},{"cve":"CVE-2017-18342","qid":"296075","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 21.69.0 Missing (CPUAPR2020)"},{"cve":"CVE-2017-18342","qid":"904846","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for mozjs60 (12374)"},{"cve":"CVE-2017-18342","qid":"904919","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for PyYAML (12295)"},{"cve":"CVE-2017-18342","qid":"904980","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for PyYAML (12458)"},{"cve":"CVE-2017-18342","qid":"980984","title":"Python (pip) Security Update for pyyaml (GHSA-rprw-h62v-c2w7)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2017-18342","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"https://github.com/yaml/pyyaml/pull/74","refsource":"MISC","url":"https://github.com/yaml/pyyaml/pull/74"},{"name":"https://github.com/yaml/pyyaml/blob/master/CHANGES","refsource":"MISC","url":"https://github.com/yaml/pyyaml/blob/master/CHANGES"},{"refsource":"FEDORA","name":"FEDORA-2019-bed9afe622","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/"},{"refsource":"FEDORA","name":"FEDORA-2019-779a9db46a","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/"},{"refsource":"FEDORA","name":"FEDORA-2019-44643e8bcb","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/"},{"refsource":"MISC","name":"https://github.com/marshmallow-code/apispec/issues/278","url":"https://github.com/marshmallow-code/apispec/issues/278"},{"refsource":"MISC","name":"https://github.com/yaml/pyyaml/issues/193","url":"https://github.com/yaml/pyyaml/issues/193"},{"refsource":"MISC","name":"https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation","url":"https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation"},{"refsource":"GENTOO","name":"GLSA-202003-45","url":"https://security.gentoo.org/glsa/202003-45"}]}},"nvd":{"publishedDate":"2018-06-27 12:29:00","lastModifiedDate":"2023-11-07 02:41:00","problem_types":["CWE-502"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":7.5},"severity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"acInsufInfo":true,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:pyyaml:pyyaml:*:*:*:*:*:*:*:*","versionEndExcluding":"5.1","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2017","CveId":"18342","Ordinal":"129552","Title":"CVE-2017-18342","CVE":"CVE-2017-18342","Year":"2017"},"notes":[{"CveYear":"2017","CveId":"18342","Ordinal":"1","NoteData":"In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.","Type":"Description","Title":null},{"CveYear":"2017","CveId":"18342","Ordinal":"2","NoteData":"2018-06-27","Type":"Other","Title":"Published"},{"CveYear":"2017","CveId":"18342","Ordinal":"3","NoteData":"2020-03-19","Type":"Other","Title":"Modified"}]}}}