Python Package: PyAnyAPI
Version: Before 0.6.1
Published: Nov. 7th. 2017
Reported by: Joel
PyAnyAPI is a Library for for convenient interface creation over various types of data in a declarative way. An issue was discovered in the
pyanapi package before
0.6.1.Untrusted data passed into the
yaml.load() function can execute arbitrary python commands resulting in command execution.
1 2 3
The updated versions of
PyAnyAPI (0.6.1) correctly use the
yaml.safe_load method which prevents remote code execution.