Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 531
Alerts This Week
Warning Icon 1 531

Mageia: 2019-0065 Moderate: Marshmallow Schema Exposure Risk

mageia
Calendar Grey February 13, 2019
Scroller Mageia Esm H88
MGASA-2019-0066: Revised python-flask libraries address significant vulnerability related to user authentication failures.
In the marshmallow library before 2.15.1 for Python, the schema "only" option treats an empty list as implying no "only" option, which allows a request that was intended to expose ...

Summary

In the marshmallow library before 2.15.1 for Python, the schema "only" option treats an empty list as implying no "only" option, which allows a request that was intended to expose no fields to instead expose all fields (if the schema is being filtered dynamically using the "only" option, and there is a user role that produces an empty value for "only") (CVE-2018-17175).

References

- https://bugs.mageia.org/show_bug.cgi?id=23703

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GCKZAADQI7JJ3ZUN7DSIR2JH3VZEJZDM/

- https://www.cve.org/CVERecord?id=CVE-2018-17175

Resolution

SRPMS

- 6/core/python-marshmallow-2.2.1-0.5.gitea1def9.mga6

Publication date: 13 Feb 2019
URL: https://advisories.mageia.org/MGASA-2019-0065.html
Type: security
CVE: CVE-2018-17175

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.