5.3

CVSS Score

Basic Information

CVE ID

CVE-2018-17175

GHSA ID

GHSA-9q2p-fj49-vpxj

EPSS Score

CWE

CWE-358

Published

10/10/2018

Updated

9/24/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-17175

CVE-2018-17175:
In marshmallow library the schema "only" option treats an empty list as implying no "only" option

In the marshmallow library before 2.15.1 and 3.x before 3.0.0b9 for Python, the schema "only" option treats an empty list as implying no "only" option, which allows a request that was intended to expose no fields to instead expose all fields (if the schema is being filtered dynamically using the "only" option, and there is a user role that produces an empty value for "only").

(GitHub Advisory)

5.3

CVSS Score

Basic Information

CVE ID

CVE-2018-17175

GHSA ID

GHSA-9q2p-fj49-vpxj

EPSS Score

CWE

CWE-358

Published

10/10/2018

Updated

9/24/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
marshmallow	pip	< 2.15.1	2.15.1
marshmallow	pip	>= 3.0a0, < 3.0.0b9	3.0.0b9

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from truthiness checks on the 'only' parameter. The patched changes explicitly check for None instead of falsy values. The three modified functions all handled the 'only' parameter validation and field filtering logic. In vulnerable versions, passing an empty list to 'only' would bypass field filtering in _normalize_nested_options and _update_fields due to Python's falsy evaluation of empty lists, while init's default empty tuple initialization exacerbated this behavior. These functions would appear in stack traces when processing serialization requests with empty 'only' parameters.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In t** m*rs*m*llow li*r*ry ***or* *.**.* *n* *.x ***or* *.*.*** *or Pyt*on, t** s***m* "only" option tr**ts *n *mpty list *s implyin* no "only" option, w*i** *llows * r*qu*st t**t w*s int*n*** to *xpos* no *i*l*s to inst*** *xpos* *ll *i*l*s (i* t**

Reasoning

T** vuln*r**ility st*ms *rom trut*in*ss ****ks on t** 'only' p*r*m*t*r. T** p*t**** ***n**s *xpli*itly ****k *or Non* inst*** o* **lsy v*lu*s. T** t*r** mo*i*i** *un*tions *ll **n*l** t** 'only' p*r*m*t*r v*li**tion *n* *i*l* *ilt*rin* lo*i*. In vuln

5.3

Basic Information

Concerned about an active attack path?

CVE-2018-17175: In marshmallow library the schema "only" option treats an empty list as implying no "only" option

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2018-17175:
In marshmallow library the schema "only" option treats an empty list as implying no "only" option

Vulnerability Intelligence
Miggo AI