Is CVE-2020-1747 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 5%.

What products does CVE-2020-1747 affect?

Tracked products affected include Fedora. Check the version you run to see whether it is affected.

How do I fix CVE-2020-1747?

Apply the vendor fix promptly. An official patch or advisory is available. Upgrade affected products to a fixed version.

← All products

CVE-2020-1747

Q: What is CVE-2020-1747?

CVE-2020-1747 is a critical-severity software vulnerability (Improper input validation) with a CVSS score of 9.8. A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applicatio

CRITICAL severity · CVSS 9.8 · Improper input validation

9.8CVSS CRITICAL

Summary

A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredNone

User interactionNone

Confidentiality impactHigh

Integrity impactHigh

Availability impactHigh

Exploit probability (EPSS)5%

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products we track (1)

Fedora

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Official patch: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747 ↗

CVE-2020-1747

Summary

Impact & exploitability

Affected products we track (1)

Recommendation

Additional information