Tainted ruamel
tainted-ruamel
tainted-ruamel
The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. Starting from ruamel.yaml
version 0.15.0 the default loader (typ='rt'
) is a direct derivative of the safe loader. Before this version, use the optional argument Loader
with value SafeLoader
or CSafeLoader
, or use the safe_load
function.
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-502: Deserialization of Untrusted Data
OWASP:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures