Django-piston and Django-tastypie do not properly deserialize YAML data
High severity
GitHub Reviewed
Published
Jul 23, 2018
to the GitHub Advisory Database
•
Updated Aug 31, 2023
Package
Affected versions
>= 0.2.0, <= 0.2.2.0
>= 0.2.2.2, < 0.2.3
Patched versions
0.2.2.1
0.2.3
Description
Published to the GitHub Advisory Database
Jul 23, 2018
Reviewed
Jun 16, 2020
Last updated
Aug 31, 2023
emitters.py in Django Piston before 0.2.3 and 0.2.x before 0.2.2.1 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method.
Django Tastypie has a very similar vulnerability.
References