{"api_version":"1","generated_at":"2026-04-23T00:39:29+00:00","cve":"CVE-2020-1747","urls":{"html":"https://cve.report/CVE-2020-1747","api":"https://cve.report/api/cve/CVE-2020-1747.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-1747","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-1747"},"summary":{"title":"CVE-2020-1747","description":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2020-03-24 15:15:00","updated_at":"2023-11-07 03:19:00"},"problem_types":["CWE-20"],"metrics":[],"references":[{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","name":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","refsource":"CONFIRM","tags":["Issue Tracking","Patch","Third Party Advisory"],"title":"1807367 – (CVE-2020-1747) CVE-2020-1747 PyYAML: arbitrary command execution through python/object/new when FullLoader is used","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","name":"FEDORA-2020-bdb0bfa928","refsource":"","tags":[],"title":"[SECURITY] Fedora 31 Update: PyYAML-5.3.1-1.fc31 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MMQXSZXNJT6ERABJZAAICI3DQSQLCP3D/","name":"FEDORA-2021-3342569a0f","refsource":"","tags":[],"title":"[SECURITY] Fedora 33 Update: PyYAML-5.4.1-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7PPAS6C4SZRDQLR7C22A5U3QOLXY33JX/","name":"FEDORA-2021-eed7193502","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 32 Update: PyYAML-5.4.1-1.fc32 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","name":"FEDORA-2020-40c35d7b37","refsource":"","tags":[],"title":"[SECURITY] Fedora 30 Update: PyYAML-5.3.1-1.fc30 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","name":"openSUSE-SU-2020:0630","refsource":"SUSE","tags":["Mailing List","Third Party Advisory"],"title":"[security-announce] openSUSE-SU-2020:0630-1: important: Security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","name":"openSUSE-SU-2020:0507","refsource":"SUSE","tags":["Mailing List","Third Party Advisory"],"title":"[security-announce] openSUSE-SU-2020:0507-1: important: Security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7PPAS6C4SZRDQLR7C22A5U3QOLXY33JX/","name":"FEDORA-2021-eed7193502","refsource":"","tags":[],"title":"[SECURITY] Fedora 32 Update: PyYAML-5.4.1-1.fc32 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","name":"FEDORA-2020-bdb0bfa928","refsource":"FEDORA","tags":["Third Party Advisory"],"title":"[SECURITY] Fedora 31 Update: PyYAML-5.3.1-1.fc31 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","name":"FEDORA-2020-e9741a6a15","refsource":"","tags":[],"title":"[SECURITY] Fedora 32 Update: PyYAML-5.3.1-1.fc32 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MMQXSZXNJT6ERABJZAAICI3DQSQLCP3D/","name":"FEDORA-2021-3342569a0f","refsource":"FEDORA","tags":["Third Party Advisory"],"title":"[SECURITY] Fedora 33 Update: PyYAML-5.4.1-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","name":"FEDORA-2020-40c35d7b37","refsource":"FEDORA","tags":["Third Party Advisory"],"title":"[SECURITY] Fedora 30 Update: PyYAML-5.3.1-1.fc30 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","name":"FEDORA-2020-e9741a6a15","refsource":"FEDORA","tags":["Third Party Advisory"],"title":"[SECURITY] Fedora 32 Update: PyYAML-5.3.1-1.fc32 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/yaml/pyyaml/pull/386","name":"https://github.com/yaml/pyyaml/pull/386","refsource":"MISC","tags":["Patch","Third Party Advisory"],"title":"Prevents arbitrary code execution during python/object/new constructor by ret2libc · Pull Request #386 · yaml/pyyaml · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.oracle.com/security-alerts/cpujul2022.html","name":"N/A","refsource":"N/A","tags":[],"title":"Oracle Critical Patch Update Advisory - July 2022","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-1747","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-1747","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"1747","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"30","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"1747","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"31","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"1747","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"32","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"1747","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"33","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"1747","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"30","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"1747","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"31","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"1747","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"32","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"1747","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"33","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"1747","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"opensuse","cpe5":"leap","cpe6":"15.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"1747","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"opensuse","cpe5":"leap","cpe6":"15.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"1747","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"communications_cloud_native_core_network_function_cloud_native_environment","cpe6":"22.1.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"1747","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"pyyaml","cpe5":"pyyaml","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"1747","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"pyyaml","cpe5":"pyyaml","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2020-1747","qid":"159654","title":"Oracle Enterprise Linux Security Update for python38:3.8 (ELSA-2020-4641)"},{"cve":"CVE-2020-1747","qid":"239895","title":"Red Hat Update for Satellite 6.10 (RHSA-2021:4702)"},{"cve":"CVE-2020-1747","qid":"296067","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 33.94.0 Missing (CPUAPR2021)"},{"cve":"CVE-2020-1747","qid":"500783","title":"Alpine Linux Security Update for py3-yaml"},{"cve":"CVE-2020-1747","qid":"504336","title":"Alpine Linux Security Update for py3-yaml"},{"cve":"CVE-2020-1747","qid":"670312","title":"EulerOS Security Update for PyYAML (EulerOS-SA-2021-1912)"},{"cve":"CVE-2020-1747","qid":"670367","title":"EulerOS Security Update for PyYAML (EulerOS-SA-2021-1958)"},{"cve":"CVE-2020-1747","qid":"670388","title":"EulerOS Security Update for PyYAML (EulerOS-SA-2021-1937)"},{"cve":"CVE-2020-1747","qid":"710880","title":"Gentoo Linux PyYAML Arbitrary Code Execution Vulnerability (GLSA 202402-33)"},{"cve":"CVE-2020-1747","qid":"751033","title":"SUSE Enterprise Linux Security Update for python-PyYAML (SUSE-SU-2021:2818-1)"},{"cve":"CVE-2020-1747","qid":"752486","title":"SUSE Enterprise Linux Security Update for python-PyYAML (SUSE-SU-2022:2841-1)"},{"cve":"CVE-2020-1747","qid":"904835","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for PyYAML (12297)"},{"cve":"CVE-2020-1747","qid":"904864","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for mozjs60 (12381)"},{"cve":"CVE-2020-1747","qid":"904988","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for PyYAML (12457)"},{"cve":"CVE-2020-1747","qid":"907545","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for PyYAML (31783-1)"},{"cve":"CVE-2020-1747","qid":"940211","title":"AlmaLinux Security Update for python38:3.8 (ALSA-2020:4641)"},{"cve":"CVE-2020-1747","qid":"960347","title":"Rocky Linux Security Update for python38:3.8 (RLSA-2020:4641)"},{"cve":"CVE-2020-1747","qid":"981293","title":"Python (pip) Security Update for pyyaml (GHSA-6757-jp84-gxfx)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2020-1747","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Red Hat","product":{"product_data":[{"product_name":"PyYAML","version":{"version_data":[{"version_value":"5.3.1"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-20"}]}]},"references":{"reference_data":[{"refsource":"FEDORA","name":"FEDORA-2020-40c35d7b37","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/"},{"refsource":"FEDORA","name":"FEDORA-2020-bdb0bfa928","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/"},{"refsource":"FEDORA","name":"FEDORA-2020-e9741a6a15","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/"},{"refsource":"SUSE","name":"openSUSE-SU-2020:0507","url":"http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html"},{"refsource":"SUSE","name":"openSUSE-SU-2020:0630","url":"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html"},{"refsource":"FEDORA","name":"FEDORA-2021-3342569a0f","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MMQXSZXNJT6ERABJZAAICI3DQSQLCP3D/"},{"refsource":"FEDORA","name":"FEDORA-2021-eed7193502","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7PPAS6C4SZRDQLR7C22A5U3QOLXY33JX/"},{"url":"https://www.oracle.com/security-alerts/cpujul2022.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","name":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","refsource":"CONFIRM"},{"url":"https://github.com/yaml/pyyaml/pull/386","name":"https://github.com/yaml/pyyaml/pull/386","refsource":"MISC"}]},"description":{"description_data":[{"lang":"eng","value":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor."}]},"impact":{"cvss":[[{"vectorString":"9.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.0"}]]}},"nvd":{"publishedDate":"2020-03-24 15:15:00","lastModifiedDate":"2023-11-07 03:19:00","problem_types":["CWE-20"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:C/I:C/A:C","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE","baseScore":10},"severity":"HIGH","exploitabilityScore":10,"impactScore":10,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:pyyaml:pyyaml:*:*:*:*:*:*:*:*","versionStartIncluding":"5.1","versionEndExcluding":"5.3.1","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.1.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"1747","Ordinal":"160985","Title":"CVE-2020-1747","CVE":"CVE-2020-1747","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"1747","Ordinal":"1","NoteData":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"1747","Ordinal":"2","NoteData":"2020-03-24","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"1747","Ordinal":"3","NoteData":"2021-01-29","Type":"Other","Title":"Modified"}]}}}