Miggo Logo

CVE-2017-16616: Unsafe pyyaml load usage in PyAnyAPI

9.8

CVSS Score
3.0

Basic Information

EPSS Score
0.77899%
Published
5/13/2022
Updated
10/21/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
pyanyapipip< 0.6.10.6.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems directly from the use of yaml.load() in YAMLInterface's perform_parsing method. The commit diff shows the fix replacing load() with safe_load(), and the CVE description explicitly identifies this as the vulnerable pattern. The added test case in test_parsers.py demonstrates exploitation attempts would succeed with load() but fail with safe_load(). This matches the CWE-502 pattern of unsafe deserialization.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n *xploit**l* vuln*r**ility *xists in t** Y*ML p*rsin* *un*tion*lity in t** Y*MLP*rs*r m*t*o* in Int*r****s.py in Py*ny*PI ***or* *.*.*. * Y*ML p*rs*r **n *x**ut* *r*itr*ry Pyt*on *omm*n*s r*sultin* in *omm*n* *x**ution ****us* `lo**` is us** w**r*

Reasoning

T** vuln*r**ility st*ms *ir**tly *rom t** us* o* y*ml.lo**() in Y*MLInt*r****'s p*r*orm_p*rsin* m*t*o*. T** *ommit *i** s*ows t** *ix r*pl**in* lo**() wit* s***_lo**(), *n* t** *V* **s*ription *xpli*itly i**nti*i*s t*is *s t** vuln*r**l* p*tt*rn. T**