-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from unsafe YAML deserialization. The Pagure.io issue #55 explicitly identifies modulemd.loads_all() using yaml.load_all() as the root cause. yaml.load()/load_all() with default Loader is known to be unsafe (CWE-242) as it can execute arbitrary Python code. The fix in version 1.3.2 would have involved switching to yaml.safe_load_all(). The combination of external data processing (CWE-20) and dangerous function usage (CWE-242) matches the vulnerability description and CWE mappings.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| modulemd | pip | < 1.3.2 | 1.3.2 |
PythonPythonOngoing coverage of React2Shell