CVE-2011-4104

The from_yaml method in serializers.py in Django Tastypie before 0.9.10 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method.
Configurations

Configuration 1 (hide)

cpe:2.3:a:djangoproject:tastypie:*:*:*:*:*:*:*:*

History

21 Nov 2024, 01:31

Type Values Removed Values Added
References () http://www.openwall.com/lists/oss-security/2011/11/02/1 - Patch () http://www.openwall.com/lists/oss-security/2011/11/02/1 - Patch
References () http://www.openwall.com/lists/oss-security/2011/11/02/7 - () http://www.openwall.com/lists/oss-security/2011/11/02/7 -
References () https://github.com/toastdriven/django-tastypie/commit/e8af315211b07c8f48f32a063233cc3f76dd5bc2 - Patch () https://github.com/toastdriven/django-tastypie/commit/e8af315211b07c8f48f32a063233cc3f76dd5bc2 - Patch
References () https://groups.google.com/forum/#%21topic/django-tastypie/i2aNGDHTUBI - () https://groups.google.com/forum/#%21topic/django-tastypie/i2aNGDHTUBI -
References () https://www.djangoproject.com/weblog/2011/nov/01/piston-and-tastypie-security-releases/ - Vendor Advisory () https://www.djangoproject.com/weblog/2011/nov/01/piston-and-tastypie-security-releases/ - Vendor Advisory

07 Nov 2023, 02:09

Type Values Removed Values Added
References
  • {'url': 'https://groups.google.com/forum/#!topic/django-tastypie/i2aNGDHTUBI', 'name': 'https://groups.google.com/forum/#!topic/django-tastypie/i2aNGDHTUBI', 'tags': [], 'refsource': 'CONFIRM'}
  • () https://groups.google.com/forum/#%21topic/django-tastypie/i2aNGDHTUBI -

Information

Published : 2014-10-27 01:55

Updated : 2024-11-21 01:31


NVD link : CVE-2011-4104

Mitre link : CVE-2011-4104

CVE.ORG link : CVE-2011-4104


JSON object : View

Products Affected

djangoproject

  • tastypie
CWE
CWE-20

Improper Input Validation