POLICY-OTHER --
POLICY-OTHER PyYAML Python object serialization attempt
This rule detects the attempted download of a YAML file that contains a serialized Python object by looking for the syntax used to create a new Python object. This rule is in response to the ability to run arbitrary code via the object deserialization process in PyYAML when loading untrusted YAML files without using a safe YAML load method.
This rule detects the attempted download of a YAML file that contains a serialized Python object.
No public information
No known false positives
Cisco Talos Intelligence Group
No rule groups
N/A
Not Applicable
CVE-2020-14343A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747. |
|
|||||||||||||||||||||||||||||||
CVE-2020-1747A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor. |
|
|||||||||||||||||||||||||||||||
Tactic: Execution
Technique: Execution through Module Load
For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org
©2023 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
