VDB
CVE-2019-20478
CVE-2019-20478
PUBLISHED
In ruamel.yaml through 0.16.7, the load method allows remote code execution if the application calls this method with an untrusted argument. In other words, this issue affects developers who are unaware of the need to use methods such as safe_load in these use cases.
EPSS 7.30% · 91.8th percentile
Risk Scores
EPSS Score
7.30%
91.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:18.04:LTS | ruamel.yaml | 0, 0.13.4-2build2, 0.15.34-1 |
| Ubuntu:22.04:LTS | ruamel.yaml | 0.16.12-2, 0.17.16-1, 0 |
| Ubuntu:24.04:LTS | ruamel.yaml | 0, 0.17.21-1 |
| Ubuntu:20.04:LTS | ruamel.yaml | 0.15.89-3build1, 0, 0.15.34-1build2 |
| Ubuntu:25.10 | ruamel.yaml | *, 0 |
| Ubuntu:16.04:LTS | ruamel.yaml | 0.10.12-2, 0, 0.10.23-1 |
Timeline
- Feb 19, 2020 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 22, 2021 EPSS Score
- Oct 25, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 27, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- Jul 2, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Jan 7, 2023 EPSS Score
- Mar 10, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2019-20478 third-party-advisory
- https://www.exploit-db.com/exploits/47655 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2019-20478 third-party-advisory