CVE-2020-1747
📋 TL;DR
This vulnerability allows arbitrary code execution when PyYAML processes untrusted YAML files using the full_load method or FullLoader loader. Applications using PyYAML versions before 5.3.1 to parse untrusted YAML input are affected. Attackers can exploit this to execute arbitrary Python code on vulnerable systems.
💻 Affected Systems
- PyYAML library
- Any application using PyYAML
📦 What is this software?
Communications Cloud Native Core Network Function Cloud Native Environment by Oracle
View all CVEs affecting Communications Cloud Native Core Network Function Cloud Native Environment →
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Leap by Opensuse
Pyyaml by Pyyaml
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the vulnerable system, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Remote code execution leading to application compromise, data exfiltration, or service disruption depending on the application's privileges and functionality.
If Mitigated
No impact if proper input validation and patching are implemented, or if only trusted YAML sources are processed.
🎯 Exploit Status
Exploitation requires the application to process attacker-controlled YAML input. The vulnerability is well-documented with public proof-of-concept examples available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.3.1 and later
Vendor Advisory: https://github.com/yaml/pyyaml/pull/386
Restart Required: No
Instructions:
1. Update PyYAML: pip install --upgrade pyyaml>=5.3.1
2. Verify installation: pip show pyyaml
3. Test that vulnerable methods no longer accept dangerous constructors
🔧 Temporary Workarounds
Use SafeLoader instead of FullLoader
allReplace FullLoader with SafeLoader in code to prevent dangerous YAML constructors from being processed
Replace: yaml.load(data, Loader=yaml.FullLoader) with: yaml.load(data, Loader=yaml.SafeLoader)
Replace: yaml.full_load(data) with: yaml.safe_load(data)
Input validation and sanitization
allImplement strict input validation to only accept YAML from trusted sources
🧯 If You Can't Patch
- Implement strict network controls to prevent untrusted YAML input from reaching vulnerable systems
- Use application-level firewalls or WAFs to block malicious YAML payloads
🔍 How to Verify
Check if Vulnerable:
Check PyYAML version: pip show pyyaml | grep Version
If version is <5.3.1 and application uses full_load() or FullLoader with untrusted input, it's vulnerable.Check Version:
pip show pyyaml | grep VersionVerify Fix Applied:
Verify PyYAML version is >=5.3.1: pip show pyyaml | grep Version
Test that dangerous constructors like '!!python/object/new' are rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual process execution from Python applications
- Errors related to YAML parsing failures
- Application crashes when processing YAML
Network Indicators:
- Unusual outbound connections from applications that process YAML
- Large YAML payloads being sent to applications
SIEM Query:
source="application_logs" AND ("full_load" OR "FullLoader") AND ("python/object" OR "!!python")🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747
- https://github.com/yaml/pyyaml/pull/386
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7PPAS6C4SZRDQLR7C22A5U3QOLXY33JX/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MMQXSZXNJT6ERABJZAAICI3DQSQLCP3D/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/
- https://www.oracle.com/security-alerts/cpujul2022.html
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747
- https://github.com/yaml/pyyaml/pull/386
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7PPAS6C4SZRDQLR7C22A5U3QOLXY33JX/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MMQXSZXNJT6ERABJZAAICI3DQSQLCP3D/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/
- https://www.oracle.com/security-alerts/cpujul2022.html
