Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2017-16618

CVE-2017-16618:
Unsafe deserialization in owlmixin

9.8

CVSS Score

Basic Information

CVE ID
CVE-2017-16618
GHSA ID
GHSA-ccmq-qvcp-5mrm
EPSS Score
-
CWE
CWE-502
Published
7/13/2018
Updated
10/7/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
owlmixinpip< 2.0.02.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems directly from using PyYAML's unsafe yaml.load() method in both load_yaml() and load_yamlf() functions. The commit diff shows these functions were explicitly patched by replacing yaml.load with yaml.safe_load. The CWE-502 mapping and GitHub issue #12 confirm these functions accepted untrusted YAML input without proper sanitization, allowing !!python/object/apply payloads. Test cases added in the commit verify exploitation attempts through these functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n *xploit**l* vuln*r**ility *xists in t** Y*ML lo**in* *un*tion*lity o* util.py in OwlMixin ***or* *.*.****. * "Lo** Y*ML" strin* or *il* (*k* lo**_y*ml or lo**_y*ml*) **n *x**ut* *r*itr*ry Pyt*on *omm*n*s r*sultin* in *omm*n* *x**ution ****us* lo**

Reasoning

T** vuln*r**ility st*ms *ir**tly *rom usin* PyY*ML's uns*** y*ml.lo**() m*t*o* in *ot* lo**_y*ml() *n* lo**_y*ml*() *un*tions. T** *ommit *i** s*ows t**s* *un*tions w*r* *xpli*itly p*t**** *y r*pl**in* y*ml.lo** wit* y*ml.s***_lo**. T** *W*-*** m*ppi