VDB

MAGEIA-2019-65

MAGEIA-2019-65 PUBLISHED

In the marshmallow library before 2.15.1 for Python, the schema "only" option treats an empty list as implying no "only" option, which allows a request that was intended to expose no fields to instead expose all fields (if the schema is being filtered dynamically using the "only" option, and there is a user role that produces an empty value for "only") (CVE-2018-17175).

Affected Products

VendorProductVersions
Mageiamingw-gcc0, 8.3.0-1.1.mga7
Mageiapython-marshmallow0, 2.2.1-0.5.gitea1def9.mga6, 0

Timeline

  • Feb 13, 2019 CVE Updated
  • Feb 13, 2019 CVE Published
Open in Interactive Console →
$ Console Community · 100/wk Open console ›