CVE-2020-1747: Improper Input Validation

March 24, 2020 (updated March 26, 2021)

PyYAML is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.

References

bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747
nvd.nist.gov/vuln/detail/CVE-2020-1747

Detect and mitigate CVE-2020-1747 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →