CVE-2011-4104
Django Tastypie Improper Deserialization of YAML Data
9.8
CRITICAL
CVSS 3.1
EPSS 0.82%
Description
The from_yaml method in serializers.py in Django Tastypie before 0.9.10 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method.
How to fix CVE-2011-4104
To remediate CVE-2011-4104, upgrade the affected package to a fixed version below.
- Debian/django-tastypie—upgrade to 0.9.10-1 or later
- —upgrade to 0.9.10 or later
- —upgrade to e8af315211b07c8f48f32a063233cc3f76dd5bc2 or later
Is CVE-2011-4104 being exploited?
Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 0.9.10-1
- from 0, < 0.9.10
- from 0, < e8af315211b07c8f48f32a063233cc3f76dd5bc2 | from 0, < 0.9.10
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |