{"id":"PYSEC-2017-22","details":"An exploitable vulnerability exists in the YAML loading functionality of util.py in OwlMixin before 2.0.0a12. A \"Load YAML\" string or file (aka load_yaml or load_yamlf) can execute arbitrary Python commands resulting in command execution because load is used where safe_load should have been used. An attacker can insert Python into loaded YAML to trigger this vulnerability.","aliases":["CVE-2017-16618","GHSA-ccmq-qvcp-5mrm"],"modified":"2023-11-08T03:59:13.183583Z","published":"2017-11-08T03:29:00Z","references":[{"type":"REPORT","url":"https://github.com/tadashi-aikawa/owlmixin/issues/12"},{"type":"FIX","url":"https://github.com/tadashi-aikawa/owlmixin/commit/5d0575303f6df869a515ced4285f24ba721e0d4e"},{"type":"ARTICLE","url":"https://joel-malwarebenchmark.github.io/blog/2017/11/08/cve-2017-16618-convert-through-owlmixin/"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-ccmq-qvcp-5mrm"}],"affected":[{"package":{"name":"owlmixin","ecosystem":"PyPI","purl":"pkg:pypi/owlmixin"},"ranges":[{"type":"GIT","repo":"https://github.com/tadashi-aikawa/owlmixin","events":[{"introduced":"0"},{"fixed":"5d0575303f6df869a515ced4285f24ba721e0d4e"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.0.0"}]}],"versions":["1.0.0","1.0.0b3","1.0.0b4","1.0.0b6","1.0.0b7","1.0.0rc1","1.0.0rc10","1.0.0rc11","1.0.0rc12","1.0.0rc13","1.0.0rc14","1.0.0rc15","1.0.0rc16","1.0.0rc2","1.0.0rc3","1.0.0rc4","1.0.0rc5","1.0.0rc6","1.0.0rc7","1.0.0rc8","1.0.0rc9","1.1.0","1.2.0","1.2.0a1","2.0.0a1","2.0.0a10","2.0.0a11","2.0.0a12","2.0.0a2","2.0.0a3","2.0.0a4","2.0.0a5","2.0.0a6","2.0.0a7","2.0.0a9","2.0.0rc1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/owlmixin/PYSEC-2017-22.yaml"}}],"schema_version":"1.7.3"}