{"id":"PYSEC-2014-24","details":"emitters.py in Django Piston before 0.2.3 and 0.2.x before 0.2.2.1 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method.","aliases":["CVE-2011-4103","GHSA-pvhp-v9qp-xf5r"],"modified":"2023-11-08T03:57:01.074322Z","published":"2014-10-27T01:55:00Z","references":[{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=750658"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2011/11/01/10"},{"type":"WEB","url":"https://bitbucket.org/jespern/django-piston/commits/91bdaec89543/"},{"type":"ADVISORY","url":"http://www.debian.org/security/2011/dsa-2344"},{"type":"ARTICLE","url":"https://www.djangoproject.com/weblog/2011/nov/01/piston-and-tastypie-security-releases/"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-pvhp-v9qp-xf5r"}],"affected":[{"package":{"name":"django-piston","ecosystem":"PyPI","purl":"pkg:pypi/django-piston"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.2.3"}]}],"versions":["0.0.1","0.2","0.2.1","0.2.2","0.2.2.1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/django-piston/PYSEC-2014-24.yaml"}}],"schema_version":"1.7.3"}