Sonatype OSS Index CVE #2745

johnmarkpittman · 2022-12-05T15:33:09Z

johnmarkpittman
Dec 5, 2022

There is an active CVE in Sonatype's OSS Index (https://ossindex.sonatype.org/vulnerability/sonatype-2021-0482?component-type=pypi&component-name=altair) connected to _magics.py use of yaml.FullLoader. I understand that this was discussed previously; however, would you consider switching to yaml.SafeLoader instead?

I'm working in an unfortunately restrictive environment and could not get an exception approved for altair, which unfortunately bars me from using altair or any package with a dependency on it.

Answered by mattijn

Dec 5, 2022

Regardless true/false of this CVE within the current scope of Altair; are you allowed to install pyyaml? This vulnerability has been fixed upstream in pyyaml>=5.4: https://github.com/yaml/pyyaml/blob/master/CHANGES#L27

It might be good to eventually move from yaml.FullLoader to yaml.SafeLoader for other reasons:

FullLoader will be same or close to SafeLoader and will be deprecated.
yaml/pyyaml#420 (comment)

If you prepare a pull request mentioning that the FullLoader is intended to be deprecated and replaced by SafeLoader then we can finish this discussion too.

View full answer

mattijn · 2022-12-05T17:19:37Z

mattijn
Dec 5, 2022
Maintainer

Can you link the issue where this has been discussed?

In 418sec/huntr#1942 the code injection is presented.

0 replies

johnmarkpittman · 2022-12-05T17:58:14Z

johnmarkpittman
Dec 5, 2022
Author

This should get you there:

418sec#1

1 reply

mattijn Dec 5, 2022
Maintainer

I cannot reproduce the CVE.

The current behaviour with this line:

spec = yaml.load(cell, Loader=yaml.FullLoader)

https://github.com/altair-viz/altair/blob/master/altair/_magics.py#L179

Results for me in

yaml.constructor.ConstructorError: could not determine a constructor for the tag 'tag:yaml.org,2002:python/object/new:type'
  in "exploit.yml", line 1, column 1

If I change, yaml.FullLoader into yaml.UnsafeLoader I can reproduce the CVE, but that is not the discussion here.

Let say, if we change the yaml.FullLoader into yaml.SafeLoader how would that make altair not be listed by sonatype as vulnerability anymore?

mattijn · 2022-12-05T20:50:23Z

mattijn
Dec 5, 2022
Maintainer

Regardless true/false of this CVE within the current scope of Altair; are you allowed to install pyyaml? This vulnerability has been fixed upstream in pyyaml>=5.4: https://github.com/yaml/pyyaml/blob/master/CHANGES#L27

It might be good to eventually move from yaml.FullLoader to yaml.SafeLoader for other reasons:

FullLoader will be same or close to SafeLoader and will be deprecated.
yaml/pyyaml#420 (comment)

If you prepare a pull request mentioning that the FullLoader is intended to be deprecated and replaced by SafeLoader then we can finish this discussion too.

1 reply

johnmarkpittman Dec 5, 2022
Author

Ha! I'm getting the same behavior - I admittedly did not try reproducing the CVE before asking, so shame on me. Thanks for the response, I'm going to mark this as answered!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Sonatype OSS Index CVE #2745

{{title}}

Replies: 3 comments 2 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Sonatype OSS Index CVE #2745

johnmarkpittman Dec 5, 2022

Replies: 3 comments · 2 replies

mattijn Dec 5, 2022 Maintainer

johnmarkpittman Dec 5, 2022 Author

mattijn Dec 5, 2022 Maintainer

mattijn Dec 5, 2022 Maintainer

johnmarkpittman Dec 5, 2022 Author

johnmarkpittman
Dec 5, 2022

Replies: 3 comments 2 replies

mattijn
Dec 5, 2022
Maintainer

johnmarkpittman
Dec 5, 2022
Author

mattijn Dec 5, 2022
Maintainer

mattijn
Dec 5, 2022
Maintainer

johnmarkpittman Dec 5, 2022
Author