Upstream information

CVE-2020-1747 at MITRE

Description

A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.

SUSE information

Overall state of this security issue: Running

This issue is currently rated as having important severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 10
Vector AV:N/AC:L/Au:N/C:C/I:C/A:C
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS v3 Scores
  National Vulnerability Database SUSE
Base Score 9.8 8.8
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Access Vector Network Network
Access Complexity Low Low
Privileges Required None None
User Interaction None Required
Scope Unchanged Unchanged
Confidentiality Impact High High
Integrity Impact High High
Availability Impact High High
CVSSv3 Version 3.1 3.1
SUSE Bugzilla entries: 1165439 [NEW], 1174514 [NEW]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
Container caasp/v4.5/k8s-sidecar:0.1.75
Container caasp/v5/k8s-sidecar:beta
Image SLES15-SP1-CHOST-BYOS-Ali
Image SLES15-SP1-CHOST-BYOS-EC2
Image SLES15-SP1-CHOST-BYOS-OpenStack
Image SLES15-SP2-CHOST-BYOS-Ali
Image SLES15-SP2-CHOST-BYOS-Azure
Image SLES15-SP2-CHOST-BYOS-EC2
Image SLES15-SP2-CHOST-BYOS-OpenStack
Image caasp-k8s-sidecar-image
  • python3-PyYAML >= 5.1.2-6.6.1
HPE Helion Openstack 8
  • python-PyYAML >= 5.1.2-26.12.1
  • python3-PyYAML >= 5.1.2-26.12.1
Patchnames:
HPE-Helion-OpenStack-8-2020-1285
SUSE Enterprise Storage 5
  • python-PyYAML >= 5.1.2-26.12.1
  • python3-PyYAML >= 5.1.2-26.12.1
Patchnames:
SUSE-Storage-5-2020-1285
SUSE Linux Enterprise High Availability 12 SP1
  • python-PyYAML >= 5.1.2-26.12.1
Patchnames:
SUSE-SLE-HA-12-SP1-2020-1285
SUSE Linux Enterprise High Availability 12 SP2
  • python-PyYAML >= 5.1.2-26.12.1
Patchnames:
SUSE-SLE-HA-12-SP2-2020-1285
SUSE Linux Enterprise Module for Advanced Systems Management 12
  • python-PyYAML >= 5.1.2-26.12.1
  • python3-PyYAML >= 5.1.2-26.12.1
Patchnames:
SUSE-SLE-Module-Adv-Systems-Management-12-2020-1285
SUSE Linux Enterprise Module for Basesystem 15 SP1
  • python-PyYAML >= 5.1.2-6.6.1
  • python3-PyYAML >= 5.1.2-6.6.1
Patchnames:
SUSE-SLE-Module-Basesystem-15-SP1-2020-959
SUSE Linux Enterprise Module for Containers 12
  • python-PyYAML >= 5.1.2-26.12.1
Patchnames:
SUSE-SLE-Module-Containers-12-2020-1285
SUSE Linux Enterprise Module for Public Cloud 12
  • python-PyYAML >= 5.1.2-26.12.1
  • python3-PyYAML >= 5.1.2-26.12.1
Patchnames:
SUSE-SLE-Module-Public-Cloud-12-2020-1285
SUSE Linux Enterprise Module for Python2 packages 15 SP1
  • python-PyYAML >= 5.1.2-6.6.1
  • python2-PyYAML >= 5.1.2-6.6.1
Patchnames:
SUSE-SLE-Module-Python2-15-SP1-2020-959
SUSE Linux Enterprise Point of Sale 12 SP2
  • python-PyYAML >= 5.1.2-26.12.1
  • python3-PyYAML >= 5.1.2-26.12.1
Patchnames:
SUSE-SLE-POS-12-SP2-2020-1285
SUSE Linux Enterprise Server 12 SP3-BCL
SUSE Linux Enterprise Server for SAP Applications 12 SP3-BCL
  • python-PyYAML >= 5.1.2-26.12.1
  • python3-PyYAML >= 5.1.2-26.12.1
Patchnames:
SUSE-SLE-SERVER-12-SP3-BCL-2020-1285
SUSE Linux Enterprise Server 12 SP3-ESPOS
SUSE Linux Enterprise Server for SAP Applications 12 SP3-ESPOS
  • python-PyYAML >= 5.1.2-26.12.1
  • python3-PyYAML >= 5.1.2-26.12.1
Patchnames:
SUSE-SLE-SERVER-12-SP3-ESPOS-2020-1285
SUSE Linux Enterprise Server 12 SP3-LTSS
SUSE Linux Enterprise Server for SAP Applications 12 SP3-LTSS
  • python-PyYAML >= 5.1.2-26.12.1
  • python3-PyYAML >= 5.1.2-26.12.1
Patchnames:
SUSE-SLE-SERVER-12-SP3-2020-1285
SUSE Linux Enterprise Server 12 SP4
SUSE Linux Enterprise Server for SAP Applications 12 SP4
  • python-PyYAML >= 5.1.2-26.12.1
  • python3-PyYAML >= 5.1.2-26.12.1
Patchnames:
SUSE-SLE-SERVER-12-SP4-2020-1285
SUSE Linux Enterprise Server 12 SP5
SUSE Linux Enterprise Server for SAP Applications 12 SP5
  • python-PyYAML >= 5.1.2-26.12.1
  • python3-PyYAML >= 5.1.2-26.12.1
Patchnames:
SUSE-SLE-SERVER-12-SP5-2020-1285
SUSE Linux Enterprise Server for SAP Applications 12 SP3
  • python-PyYAML >= 5.1.2-26.12.1
  • python3-PyYAML >= 5.1.2-26.12.1
Patchnames:
SUSE-SLE-SAP-12-SP3-2020-1285
SUSE Manager Proxy 3.2
  • python-PyYAML >= 5.1.2-26.12.1
  • python3-PyYAML >= 5.1.2-26.12.1
Patchnames:
SUSE-SUSE-Manager-Proxy-3.2-2020-1285
SUSE Manager Server 3.2
  • python-PyYAML >= 5.1.2-26.12.1
  • python3-PyYAML >= 5.1.2-26.12.1
Patchnames:
SUSE-SUSE-Manager-Server-3.2-2020-1285
SUSE Manager Tools 12
  • python-PyYAML >= 5.1.2-26.12.1
  • python3-PyYAML >= 5.1.2-26.12.1
Patchnames:
SUSE-SLE-Manager-Tools-12-2020-1285
SUSE OpenStack Cloud 6-LTSS
  • python-PyYAML >= 5.1.2-26.12.1
Patchnames:
SUSE-OpenStack-Cloud-6-LTSS-2020-1285
SUSE OpenStack Cloud 7
  • python-PyYAML >= 5.1.2-26.12.1
Patchnames:
SUSE-OpenStack-Cloud-7-2020-1285
SUSE OpenStack Cloud 8
  • python-PyYAML >= 5.1.2-26.12.1
  • python3-PyYAML >= 5.1.2-26.12.1
Patchnames:
SUSE-OpenStack-Cloud-8-2020-1285
SUSE OpenStack Cloud Crowbar 8
  • python-PyYAML >= 5.1.2-26.12.1
  • python3-PyYAML >= 5.1.2-26.12.1
Patchnames:
SUSE-OpenStack-Cloud-Crowbar-8-2020-1285
openSUSE Leap 15.1
  • python-PyYAML >= 5.1.2-lp151.2.13.1
  • python-PyYAML-debuginfo >= 5.1.2-lp151.2.13.1
  • python-PyYAML-debugsource >= 5.1.2-lp151.2.13.1
  • python2-PyYAML >= 5.1.2-lp151.2.13.1
  • python2-PyYAML-debuginfo >= 5.1.2-lp151.2.13.1
  • python3-PyYAML >= 5.1.2-lp151.2.13.1
  • python3-PyYAML-debuginfo >= 5.1.2-lp151.2.13.1
Patchnames:
openSUSE-2020-507
openSUSE-2020-630


Status of this issue by product and package

Please note that this evaluation state might be work in progress, incomplete or outdated. Also information for service packs in the LTSS phase is only included for issues meeting the LTSS criteria. If in doubt, feel free to contact us for clarification.

Product(s) Source package State
HPE Helion OpenStack 8 python-PyYAML Released
HPE Helion OpenStack Cloud 8 python-PyYAML Not affected
Public Cloud Module for SUSE Linux Enterprise 11 python-PyYAML Not affected
SUSE CaaS Platform 3.0 python-PyYAML In progress
SUSE Container as a Service Platform 1.0 python-PyYAML Affected
SUSE Container as a Service Platform 2.0 python-PyYAML Unsupported
SUSE Enterprise Storage 5 python-PyYAML Released
SUSE Linux Enterprise 12 Module for Advanced Systems Management python-PyYAML Released
SUSE Linux Enterprise 12 Module for Containers python-PyYAML Released
SUSE Linux Enterprise 12 Module for Public Cloud python-PyYAML Released
SUSE Linux Enterprise 15 Module for Basesystem python-PyYAML Not affected
SUSE Linux Enterprise 15 Module for Public Cloud python-PyYAML In progress
SUSE Linux Enterprise 15-SP1 Module for Basesystem python-PyYAML Released
SUSE Linux Enterprise 15-SP1 Module for Python 2 python-PyYAML Released
SUSE Linux Enterprise 15-SP2 Module for Basesystem python-PyYAML Released
SUSE Linux Enterprise 15-SP2 Module for Python 2 python-PyYAML Released
SUSE Linux Enterprise High Availability Extension 12 SP1 python-PyYAML Released
SUSE Linux Enterprise High Availability Extension 12 SP2 python-PyYAML Released
SUSE Linux Enterprise High Performance Computing 12 SP4 python-PyYAML Released
SUSE Linux Enterprise High Performance Computing 12 SP5 python-PyYAML Released
SUSE Linux Enterprise Server 11 SP3 python-PyYAML Not affected
SUSE Linux Enterprise Server 11 SP3 python27-PyYAML Not affected
SUSE Linux Enterprise Server 12 SP3 BCL python-PyYAML Released
SUSE Linux Enterprise Server 12 SP3 LTSS python-PyYAML Released
SUSE Linux Enterprise Server 12 SP4 python-PyYAML Released
SUSE Linux Enterprise Server 12 SP5 python-PyYAML Released
SUSE Linux Enterprise Server for SAP Applications 12 SP1 python-PyYAML Released
SUSE Linux Enterprise Server for SAP Applications 12 SP2 python-PyYAML Released
SUSE Linux Enterprise Server for SAP Applications 12 SP3 python-PyYAML Released
SUSE Linux Enterprise Server for SAP Applications 12 SP4 python-PyYAML Released
SUSE Linux Enterprise Server for SAP Applications 12 SP5 python-PyYAML Released
SUSE Manager Proxy 3.2 python-PyYAML Released
SUSE Manager Server 3.2 python-PyYAML Released
SUSE Manager Tools python-PyYAML Released
SUSE OpenStack Cloud 6 LTSS python-PyYAML Released
SUSE OpenStack Cloud 7 python-PyYAML Released
SUSE OpenStack Cloud 8 python-PyYAML Released
SUSE OpenStack Cloud 9 python-PyYAML Not affected
SUSE OpenStack Cloud Crowbar 8 python-PyYAML Released
SUSE OpenStack Cloud Crowbar 9 python-PyYAML Not affected