Miggo Logo
Miggo Vulnerability Database
CVE-2011-4104

CVE-2011-4104: Django Tastypie Improper Deserialization of YAML Data

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2011-4104
GHSA ID
GHSA-qgvw-qc2q-gv5q
EPSS Score
0.73427%
CWE
CWE-502
Published
5/14/2022
Updated
9/16/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
django-tastypiepip< 0.9.100.9.10

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems directly from the use of yaml.load() in the from_yaml method, as shown in the commit diff replacing it with yaml.safe_load(). The CVE description explicitly identifies this method as the attack vector, and the patch confirms the vulnerability was in this specific function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** `*rom_y*ml` m*t*o* in s*ri*liz*rs.py in *j*n*o T*stypi* ***or* *.*.** *o*s not prop*rly **s*ri*liz* Y*ML **t*, w*i** *llows r*mot* *tt**k*rs to *x**ut* *r*itr*ry Pyt*on *o** vi* v**tors r*l*t** to t** y*ml.lo** m*t*o*.

Reasoning

T** vuln*r**ility st*ms *ir**tly *rom t** us* o* y*ml.lo**() in t** *rom_y*ml m*t*o*, *s s*own in t** *ommit *i** r*pl**in* it wit* y*ml.s***_lo**(). T** *V* **s*ription *xpli*itly i**nti*i*s t*is m*t*o* *s t** *tt**k v**tor, *n* t** p*t** *on*irms t