Miggo Logo
Miggo Vulnerability Database
CVE-2017-1002157

CVE-2017-1002157: modulemd uses an unsafe function for processing externally provided data

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2017-1002157
GHSA ID
GHSA-jhjh-ghwx-6h7r
EPSS Score
0.71746%
CWE
CWE-20
Published
1/17/2019
Updated
9/24/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
modulemdpip< 1.3.21.3.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsafe YAML deserialization. The Pagure.io issue #55 explicitly identifies modulemd.loads_all() using yaml.load_all() as the root cause. yaml.load()/load_all() with default Loader is known to be unsafe (CWE-242) as it can execute arbitrary Python code. The fix in version 1.3.2 would have involved switching to yaml.safe_load_all(). The combination of external data processing (CWE-20) and dangerous function usage (CWE-242) matches the vulnerability description and CWE mappings.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

mo*ul*m* *.*.* *n* **rli*r us*s *n uns*** *un*tion *or pro**ssin* *xt*rn*lly provi*** **t*, l***in* to r*mot* *o** *x**ution.

Reasoning

T** vuln*r**ility st*ms *rom uns*** Y*ML **s*ri*liz*tion. T** P**ur*.io issu* #** *xpli*itly i**nti*i*s mo*ul*m*.lo**s_*ll() usin* y*ml.lo**_*ll() *s t** root **us*. y*ml.lo**()/lo**_*ll() wit* ****ult Lo***r is known to ** uns*** (*W*-***) *s it **n