Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2017-16615

CVE-2017-16615:
Unsafe deserialization in MLAlchemy

9.8

CVSS Score

Basic Information

CVE ID
CVE-2017-16615
GHSA ID
GHSA-xpm8-98mx-h4c5
EPSS Score
-
CWE
-
Published
7/13/2018
Updated
9/24/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
MLAlchemypip< 0.2.20.2.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is explicitly tied to the parse_yaml_query function in parser.py where unsafe yaml.load() was used. The GitHub commit diff shows this was the only function modified to fix the issue (replaced with yaml.safe_load()). Multiple sources including CVE description, GHSA advisory, and the patch commit confirm this function's unsafe deserialization was the root cause. The added security test further validates this was the attack vector by testing YAML payload rejection after the fix.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n *xploit**l* vuln*r**ility *xists in t** Y*ML p*rsin* *un*tion*lity in t** p*rs*_y*ml_qu*ry m*t*o* in p*rs*r.py in ML*l***my ***or* *.*.*. W**n pro**ssin* Y*ML-**s** qu*ri*s *or **t*, * Y*ML p*rs*r **n *x**ut* *r*itr*ry Pyt*on *omm*n*s r*sultin* in

Reasoning

T** vuln*r**ility is *xpli*itly ti** to t** p*rs*_y*ml_qu*ry *un*tion in p*rs*r.py w**r* uns*** y*ml.lo**() w*s us**. T** *it*u* *ommit *i** s*ows t*is w*s t** only *un*tion mo*i*i** to *ix t** issu* (r*pl**** wit* y*ml.s***_lo**()). Multipl* sour**s