Skip to content

Improper Input Validation in PyYAML #683

New issue
New issue
Open
Open
Improper Input Validation in PyYAML#683
@i5d6

Description

@i5d6
i5d6
opened on May 1, 2025

from setuptools import setup, find_packages

setup(
name="snowalert-runners",
version='1.0',
packages=find_packages(),
include_package_data=True,
install_requires=[
'aiohttp[speedups]',
'aioboto3==8.0.5',
'fire==0.1.3',
'jira==2.0.0',
'PyYAML==5.3.1',
'xmltodict==0.12.0',
'snowflake-connector-python==3.13.1',
'snowflake-sqlalchemy==1.2.3',
'pandas==1.0.4',
'pybrake==0.4.0',
'rpy2==3.2.0',
'pytz==2018.9',
'slackclient==1.3.1',
'tzlocal==1.5.1',
'azure-common==1.1.23',
'azure-mgmt-compute==8.0.0',
'azure-mgmt-network==5.0.0',
'azure-mgmt-storage==4.1.0',
'azure-mgmt-subscription==0.5.0',
'azure-storage-blob==12.13.1',
'azure-storage-common==2.1.0',
'google-api-python-client==1.8.2',
'pyTenable==1.1.1',
'boto3==1.14.20',
'botocore==1.15.32',
'twilio==6.29.4',
'simple_salesforce==0.74.3',
'pdpyras==4.0',
'duo_client==4.2.3',
'cryptography==44.0.1',
'requests==2.32.2',
],
extras_require={
'dev': [
'pytest',
'black',
'mypy',
]
},
)

A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for GHSA-6757-jp84-gxfx.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions