Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2019-20478

Published: Feb 19, 2020 | Modified: Nov 21, 2024
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
10 HIGH
AV:N/AC:L/Au:N/C:C/I:C/A:C
RedHat/V2
RedHat/V3
9.8 MODERATE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Ubuntu
MEDIUM
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2019-20478
CWEhttps://cwe.mitre.org/data/definitions/.html

In ruamel.yaml through 0.16.7, the load method allows remote code execution if the application calls this method with an untrusted argument. In other words, this issue affects developers who are unaware of the need to use methods such as safe_load in these use cases.

Affected Software

Name Vendor Start Version End Version
Ruamel.yaml Ruamel.yaml_project * 0.16.7 (including)
Ruamel.yaml Ubuntu bionic *
Ruamel.yaml Ubuntu eoan *
Ruamel.yaml Ubuntu groovy *
Ruamel.yaml Ubuntu hirsute *
Ruamel.yaml Ubuntu impish *
Ruamel.yaml Ubuntu kinetic *
Ruamel.yaml Ubuntu lunar *
Ruamel.yaml Ubuntu mantic *
Ruamel.yaml Ubuntu trusty *
Ruamel.yaml Ubuntu xenial *

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2025 Aqua Security Software Ltd.   Privacy Policy | Terms of Use