CVE-2017-18342
Publication date 27 June 2018
Last updated 25 August 2025
Ubuntu priority
Description
In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| pyyaml | 20.04 LTS focal |
Not affected
|
| 18.04 LTS bionic | Ignored | |
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Ignored |
Notes
seth-arnold
The patch changes the incredibly-unsafe yaml.load to the behaviour of safe_load; despite being many years overdue, it's also likely to break something.
mdeslaur
upstream has reverted the 4.1 fix, so as of 2020-10-06, there is no proper fix for this issue for stable releases, and fixing it is likely to cause compatibility issues. In stable releases individual software would need to be fixed instead of pyyaml itself. We are not going to be fixing pyyaml itself, marking as ignored.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
9.8 · Critical
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |