{"id":"PYSEC-2017-23","details":"An exploitable vulnerability exists in the YAML parsing functionality in the YAMLParser method in Interfaces.py in PyAnyAPI before 0.6.1. A YAML parser can execute arbitrary Python commands resulting in command execution because load is used where safe_load should have been used. An attacker can insert Python into loaded YAML to trigger this vulnerability.","aliases":["CVE-2017-16616","GHSA-vg8g-jpm9-jh8r"],"modified":"2023-11-08T03:59:13.122220Z","published":"2017-11-08T03:29:00Z","references":[{"type":"WEB","url":"https://pypi.python.org/pypi/pyanyapi/0.6.1"},{"type":"WEB","url":"https://github.com/Stranger6667/pyanyapi/releases/tag/0.6.1"},{"type":"REPORT","url":"https://github.com/Stranger6667/pyanyapi/issues/41"},{"type":"ARTICLE","url":"https://joel-malwarebenchmark.github.io/blog/2017/11/08/cve-2017-16616-yamlparser-in-pyanyapi/"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-vg8g-jpm9-jh8r"}],"affected":[{"package":{"name":"pyanyapi","ecosystem":"PyPI","purl":"pkg:pypi/pyanyapi"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.6.1"}]}],"versions":["0.4","0.5","0.5.1","0.5.2","0.5.3","0.5.4","0.5.5","0.5.6","0.5.7","0.5.8","0.6.0"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/pyanyapi/PYSEC-2017-23.yaml"}}],"schema_version":"1.7.3"}