CVE-2019-20478 (High) detected in ruamel.yaml-0.15.97-cp37-cp37m-manylinux1_x86_64.whl - autoclosed
Closed this issue · 1 comments
CVE-2019-20478 - High Severity Vulnerability
Vulnerable Library - ruamel.yaml-0.15.97-cp37-cp37m-manylinux1_x86_64.whl
ruamel.yaml is a YAML parser/emitter that supports roundtrip preservation of comments, seq/map flow style, and map key order
Library home page: https://files.pythonhosted.org/packages/0d/f6/eb79ffc92f097f5abe446583010d3a1d612b9c272a8438b5dae76b79edf6/ruamel.yaml-0.15.97-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /homeassistant/components/device_tracker
Path to vulnerable library: /homeassistant/components/device_tracker,/tmp/ws-scm/Platform-Integration,/homeassistant
Dependency Hierarchy:
- ❌ ruamel.yaml-0.15.97-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 815dc70d82791ab5e7a25a43588702e4458fd9f6
Found in base branch: dev
Vulnerability Details
In ruamel.yaml through 0.16.7, the load method allows remote code execution if the application calls this method with an untrusted argument. In other words, this issue affects developers who are unaware of the need to use methods such as safe_load in these use cases.
Publish Date: 2020-02-19
URL: CVE-2019-20478
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2019-20478
Release Date: 2020-02-19
Fix Resolution: ruamel.yaml - 0.16.9;ruamel.yaml - 0.16.10
Step up your Open Source Security Game with Mend here
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.