clearcare / cc_dynamodb3 Goto Github PK

CVE-2017-18342 - High Severity Vulnerability

Vulnerable Library - PyYAML-3.13.tar.gz

YAML parser and emitter for Python

path: /cc_dynamodb3/test_requirements.txt

Library home page: https://files.pythonhosted.org/packages/9e/a3/1d13970c3f36777c583f136c136f804d70f500168edc1edea6daa7200769/PyYAML-3.13.tar.gz

Dependency Hierarchy:

• ❌ PyYAML-3.13.tar.gz (Vulnerable Library)

Vulnerability Details

In PyYAML before 4.1, the yaml.load() API could execute arbitrary code. In other words, yaml.safe_load is not used.

Publish Date: 2018-06-27

URL: CVE-2017-18342

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

DynamoDBModel.setattr(), after invoking super, will set the attribute in its 'item' instance variable. Item is used as the basis for constructing the DynamoDB Item and as such, nothing should be added to item that is not defined as a DynamoDBModel field (i.e., exists in 'fields').

Currently, non-field attributes will be written to item, and when the model is saved, those non-field attributes will be attempted to be saved to DynamoDB. This usually (always?) results in an error.

Workaround: Add any non-field attributes to the FIELDS_SAFE_TO_OVERWRITE list for the subclass.

cc_dynamodb3 optimizes the set of changes when updating a DynamoDB Item by observing changes made to fields of the model via __setattr__(). But if a field is a 'compound' type, such as a Number Set, cc_dynamodb3 doesn't detect that the content of the set has changed. This results in the user of cc_dynamodb3 having to go through some gymnastics to ensure that __setattr__() gets invoked on the field itself just because the field's content changed.

ClientError: An error occurred (ValidationException) when calling the UpdateTable operation: No Attribute Schema Defined

Traceback:

/code/sync_tables.pyc in create_tables()
     20         except cc_dynamodb3.exceptions.TableAlreadyExistsException:
     21             try:
---> 22                 cc_dynamodb3.table.update_table(table_name=table_name, connection=connection)
     23             except cc_dynamodb3.exceptions.UpdateTableException as e:
     24                 if e.args and 'Mismatched schema' in e.args[0]:

/usr/local/lib/python2.7/site-packages/cc_dynamodb3/table.pyc in update_table(table_name, connection, throughput)
    408         print json.dumps(local_global_indexes_by_name, indent=4)
--> 409         db_table.update(GlobalSecondaryIndexUpdates=gsi_updates)
    410         log_data('update_table: %s' % table_name, extra=dict(status='updated table',

There is an error with this repository's Mend configuration file that needs to be fixed. As a precaution, scans will stop until it is resolved.

Errors:

• Failed to parse configuration file: clearcare/cc_dynamodb3/.whitesource: failed to parse JSON content