9.8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-16616

GHSA ID

GHSA-vg8g-jpm9-jh8r

EPSS Score

0.77899%

CWE

CWE-502

Published

5/13/2022

Updated

10/21/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-16616

CVE-2017-16616: Unsafe pyyaml load usage in PyAnyAPI

An exploitable vulnerability exists in the YAML parsing functionality in the YAMLParser method in Interfaces.py in PyAnyAPI before 0.6.1. A YAML parser can execute arbitrary Python commands resulting in command execution because load is used where safe_load should have been used. An attacker can insert Python into loaded YAML to trigger this vulnerability.

(GitHub Advisory)

9.8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-16616

GHSA ID

GHSA-vg8g-jpm9-jh8r

EPSS Score

0.77899%

CWE

CWE-502

Published

5/13/2022

Updated

10/21/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
pyanyapi	pip	< 0.6.1	0.6.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems directly from the use of yaml.load() in YAMLInterface's perform_parsing method. The commit diff shows the fix replacing load() with safe_load(), and the CVE description explicitly identifies this as the vulnerable pattern. The added test case in test_parsers.py demonstrates exploitation attempts would succeed with load() but fail with safe_load(). This matches the CWE-502 pattern of unsafe deserialization.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n *xploit**l* vuln*r**ility *xists in t** Y*ML p*rsin* *un*tion*lity in t** Y*MLP*rs*r m*t*o* in Int*r****s.py in Py*ny*PI ***or* *.*.*. * Y*ML p*rs*r **n *x**ut* *r*itr*ry Pyt*on *omm*n*s r*sultin* in *omm*n* *x**ution ****us* `lo**` is us** w**r*

Reasoning

T** vuln*r**ility st*ms *ir**tly *rom t** us* o* y*ml.lo**() in Y*MLInt*r****'s p*r*orm_p*rsin* m*t*o*. T** *ommit *i** s*ows t** *ix r*pl**in* lo**() wit* s***_lo**(), *n* t** *V* **s*ription *xpli*itly i**nti*i*s t*is *s t** vuln*r**l* p*tt*rn. T**

9.8

Basic Information

Concerned about an active attack path?

CVE-2017-16616: Unsafe pyyaml load usage in PyAnyAPI

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI