Skip to content

Instantly share code, notes, and snippets.

@adveres
Last active April 9, 2021 17:36
Show Gist options
  • Save adveres/a1ddf55cd4491907431ae5f062ca38f2 to your computer and use it in GitHub Desktop.
Save adveres/a1ddf55cd4491907431ae5f062ca38f2 to your computer and use it in GitHub Desktop.
PyYAML vulnerability <5.4

https://nvd.nist.gov/vuln/detail/CVE-2020-14343

docker build --progress=plain .
#1 [internal] load build definition from Dockerfile_test
#1 sha256:6b305f61164278296532c3c8f95d3e8e9e456dcb46feecab53063845a75330fc
#1 transferring dockerfile: 757B done
#1 DONE 0.0s

#2 [internal] load .dockerignore
#2 sha256:b3fb82599c33435ee757f14fcf934633062472ee33fa2929bdf5a2739ad28acf
#2 transferring context: 2B done
#2 DONE 0.0s

#3 [internal] load metadata for docker.io/tiangolo/uvicorn-gunicorn:python3.8-slim-2020-12-19
#3 sha256:9f7f96684600e3016b332292dc6a2814fc329b9b27a71ffebd54cd97eab64846
#3 DONE 1.2s

#4 [base 1/2] FROM docker.io/tiangolo/uvicorn-gunicorn:python3.8-slim-2020-12-19@sha256:752be5e19c7c74f05097c92504a4ff34f54c98c012f5d2d5dfdb271fed60e2f7
#4 sha256:6313728697e0f563062e51d6c317bad38af3a0742b1a439a5dc5b3843d764d87
#4 CACHED

#5 [test 2/8] WORKDIR /tmp
#5 sha256:36c904ed203c9c4e64f0b6dfd5b043b5e3e5556b9616359ec4312d6c783378ac
#5 CACHED

#9 [internal] load build context
#9 sha256:bbb29b5842c65e5d82ee7dadcf0de9270e5daa5764d39a966f78947e0625f19c
#9 transferring context: 2.73kB done
#9 DONE 0.0s

#6 [base 2/2] RUN pip freeze     && pip install pipenv     && pipenv check
#6 sha256:b3a8e2c013d7c0b62b3cde375040df28bea666630674354f92f5c71b03985562
#6 0.626 click==7.1.2
#6 0.626 gunicorn==20.0.4
#6 0.626 h11==0.11.0
#6 0.626 httptools==0.1.1
#6 0.626 python-dotenv==0.15.0
#6 0.626 PyYAML==5.3.1
#6 0.626 uvicorn==0.13.1
#6 0.626 uvloop==0.14.0
#6 0.626 watchgod==0.6
#6 0.626 websockets==8.1
#6 1.805 Collecting pipenv
#6 2.341   Downloading pipenv-2020.11.15-py2.py3-none-any.whl (3.9 MB)
#6 3.879 Requirement already satisfied: pip>=18.0 in /usr/local/lib/python3.8/site-packages (from pipenv) (20.3.3)
#6 4.224 Requirement already satisfied: setuptools>=36.2.1 in /usr/local/lib/python3.8/site-packages (from pipenv) (51.0.0)
#6 4.227 Collecting virtualenv-clone>=0.2.5
#6 4.328   Downloading virtualenv_clone-0.5.4-py2.py3-none-any.whl (6.6 kB)
#6 4.335 Collecting certifi
#6 4.443   Downloading certifi-2020.12.5-py2.py3-none-any.whl (147 kB)
#6 4.469 Collecting virtualenv
#6 4.576   Downloading virtualenv-20.4.3-py2.py3-none-any.whl (7.2 MB)
#6 5.733 Collecting appdirs<2,>=1.4.3
#6 5.839   Downloading appdirs-1.4.4-py2.py3-none-any.whl (9.6 kB)
#6 5.846 Collecting distlib<1,>=0.3.1
#6 5.961   Downloading distlib-0.3.1-py2.py3-none-any.whl (335 kB)
#6 5.991 Collecting filelock<4,>=3.0.0
#6 6.111   Downloading filelock-3.0.12-py3-none-any.whl (7.6 kB)
#6 6.118 Collecting six<2,>=1.9.0
#6 6.221   Downloading six-1.15.0-py2.py3-none-any.whl (10 kB)
#6 6.360 Installing collected packages: six, filelock, distlib, appdirs, virtualenv-clone, virtualenv, certifi, pipenv
#6 8.803 Successfully installed appdirs-1.4.4 certifi-2020.12.5 distlib-0.3.1 filelock-3.0.12 pipenv-2020.11.15 six-1.15.0 virtualenv-20.4.3 virtualenv-clone-0.5.4
#6 9.453 WARNING: You are using pip version 20.3.3; however, version 21.0.1 is available.
#6 9.453 You should consider upgrading via the '/usr/local/bin/python -m pip install --upgrade pip' command.
#6 10.27 Creating a virtualenv for this project...
#6 10.27 Pipfile: /app/Pipfile
#6 10.29 Using /usr/local/bin/python3.8 (3.8.6) to create virtualenv...
⠏ Creating virtual environment...created virtual environment CPython3.8.6.final.0-64 in 623ms
#6 11.05   creator CPython3Posix(dest=/root/.local/share/virtualenvs/app-4PlAip0Q, clear=False, no_vcs_ignore=False, global=False)
#6 11.05   seeder FromAppData(download=False, pip=bundle, setuptools=bundle, wheel=bundle, via=copy, app_data_dir=/root/.local/share/virtualenv)
#6 11.05     added seed packages: pip==21.0.1, setuptools==54.1.2, wheel==0.36.2
#6 11.05   activators BashActivator,CShellActivator,FishActivator,PowerShellActivator,PythonActivator,XonshActivator
#6 11.05
#6 11.10✔ Successfully created virtual environment!
#6 11.22 Virtualenv location: /root/.local/share/virtualenvs/app-4PlAip0Q
#6 11.22 Creating a Pipfile for this project...
#6 11.26 Checking PEP 508 requirements...
#6 11.31 Passed!
#6 11.31 Checking installed package safety...
#6 13.06 39611: pyyaml <5.4 resolved (5.3.1 installed)!
#6 13.06 A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747. See CVE-2020-14343.
#6 13.06
#6 ERROR: executor failed running [/bin/sh -c pip freeze     && pip install pipenv     && pipenv check]: exit code: 1
------
 > [base 2/2] RUN pip freeze     && pip install pipenv     && pipenv check:
------
executor failed running [/bin/sh -c pip freeze     && pip install pipenv     && pipenv check]: exit code: 1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment