[Snyk: High] arbitrary code execution (Due: 08/28/2020) #4525

jason-upchurch · 2020-07-29T14:16:09Z

as a user of openFEC, I want vulnerabilities to be patched.
https://app.snyk.io/vuln/SNYK-PYTHON-PYYAML-590151

A vulnerability is introduced through apispec@0.39.0:

in PyYAML@5.3.1
introduced by apispec@0.39.0 > PyYAML@5.3.1 and 2 other path(s)
  No upgrade or patch available

Completion criteria:

Confirm this is a problem and if so, determine whether there is an upgrade and make that change
If it's a confirmed vulnerability and if no remediation is available notify security

The text was updated successfully, but these errors were encountered:

lbeaufort · 2020-07-30T15:17:11Z

Here's the PR I put in to apispec to use safe_load instead of load: marshmallow-code/apispec#281.

My assessment is that this isn't a vulnerability because:

So, closing.

jason-upchurch added the Security: high Remediate within 30 days label Jul 29, 2020

jason-upchurch modified the milestones: Sprint 13.1, Sprint 13.2 Jul 29, 2020

jason-upchurch added the Needs refinement label Jul 29, 2020

jason-upchurch mentioned this issue Jul 29, 2020

Check logs Sprint 13.1 week 2 #4481

Closed

2 tasks

JonellaCulmer removed the Needs refinement label Jul 30, 2020

lbeaufort closed this as completed Jul 30, 2020

lbeaufort self-assigned this Jul 30, 2020

lbeaufort mentioned this issue Aug 13, 2020

[Snyk: High Severity] Arbitrary Code Execution (Due: 09/04/2020)(Block?) #4541

Closed

patphongs mentioned this issue Feb 29, 2024

Epic: Stability and reliability fecgov/fec-epics#137

Open

Provide feedback