CVE-2020-14343
Arbitrary Code Execution vulnerability in pyyaml (PyPI)
What is CVE-2020-14343 About?
This vulnerability affects PyYAML library versions before 5.4, allowing arbitrary code execution when processing untrusted YAML files via `full_load` or `FullLoader`. Attackers can exploit this by abusing the `python/object/new` constructor, leading to severe system compromise. Exploitation is relatively straightforward if an application handles untrusted YAML input with the affected methods.
Affected Software
Technical Details
A critical arbitrary code execution vulnerability exists in the PyYAML library in versions prior to 5.4. This flaw occurs when the library is used to process untrusted YAML files via the full_load method or with the FullLoader instance. An attacker can craft a malicious YAML file that, upon deserialization, exploits the python/object/new constructor. By specifying a custom Python object type and constructor arguments within the YAML, the attacker can force PyYAML to instantiate and potentially execute arbitrary code defined within the YAML structure. This vulnerability is an incomplete fix for CVE-2020-1747, indicating a persistent issue with insecure deserialization practices within the library's full loading mechanism.
What is the Impact of CVE-2020-14343?
Successful exploitation may allow attackers to execute arbitrary code on the system, leading to full system compromise, data theft, and denial of service.
What is the Exploitability of CVE-2020-14343?
Exploitation requires the attacker to supply a crafted YAML file to an application that then processes it using PyYAML's full_load method or FullLoader. The complexity is low to moderate, as it involves crafting a specific YAML structure to trigger the python/object/new constructor. No authentication to the application is typically required if the application exposes a feature that processes untrusted YAML input. This is generally a remote attack if the attacker can upload or provide a malicious YAML file to a web application or service. The risk factors that increase exploitation likelihood are applications that accept untrusted YAML input from external sources without proper sanitization and use the vulnerable loading methods.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| j4k0m | Link | A web application vulnerable to CVE-2020-14343 insecure deserialization leading to command execution in PyYAML package. |
What are the Available Fixes for CVE-2020-14343?
Available Upgrade Options
- pyyaml
- <5.4 → Upgrade to 5.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-14343
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/advisories/GHSA-8q59-q68h-6hv4
- https://github.com/SeldonIO/seldon-core/issues/2252
- https://bugzilla.redhat.com/show_bug.cgi?id=1860466
- https://github.com/yaml/pyyaml/issues/420
- https://github.com/yaml/pyyaml
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://github.com/yaml/pyyaml/issues/420#issuecomment-663673966
What are Similar Vulnerabilities to CVE-2020-14343?
Similar Vulnerabilities: CVE-2020-1747 , CVE-2017-18342 , CVE-2019-1010313 , CVE-2018-1000653 , CVE-2017-1000487
