[GHSA-6757-jp84-gxfx] Improper Input Validation in PyYAML

[amita-seal]

Updates

• Affected products
• CVSS v3

Comments
CVE is only relevant since version 5.1b1, see snyk as reference.

[darakian]

Looking at the redhat bug report there's a claim that the first affected version is 5.1
https://bugzilla.redhat.com/show_bug.cgi?id=1807367#c2
They call out the class FullLoader as the affected component
the fix we have on record seems to show FullConstructor as the class being altered
yaml/pyyaml@5080ba5
Digging in a bit it seems that FullLoader and FullConstructor both came into existence on
yaml/pyyaml@0cedb2a

Which has the tag 5.1b7 rather than 5.1b1. Where does 5.1b1 come from?

[amita-seal]

I think you're correct and the range should start at 5.1b7.

[amita-seal]

Hi @darakian
If we agree can you merge this?

Thanks!

[advisory-database]

Hi @amita-seal! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

[darakian]

Sorry about the delay. I got a little tied up at github universe the last two days. We should be good now 👍