CVE-2018-17175
Last modified
CVE-2018-17175 is a vulnerability of currently unknown severity. In the marshmallow library before 2.15.1 and 3.x before 3.0.0b9 for Python, the schema "only" option treats an empty list as implying no "only" option, which allows a request that was intended to expose no fields to instead expose all fields (if the schema is being filtered dynamically using the "only" option, and there is a user role that produces an empty value for "only").. EPSS estimates a 1.86% chance of exploitation in the next 30 days.
Description
In the marshmallow library before 2.15.1 and 3.x before 3.0.0b9 for Python, the schema "only" option treats an empty list as implying no "only" option, which allows a request that was intended to expose no fields to instead expose all fields (if the schema is being filtered dynamically using the "only" option, and there is a user role that produces an empty value for "only").
Metrics
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Marshmallow Project | Marshmallow | < 2.15.1 |
| Marshmallow Project | Marshmallow | >= 3.0, < 3.0.0b9 |
References
- https://github.com/marshmallow-code/marshmallow/issues/772Issue Tracking, Third Party Advisory
- https://github.com/marshmallow-code/marshmallow/pull/777Third Party Advisory
- https://github.com/marshmallow-code/marshmallow/pull/782Third Party Advisory
- https://github.com/marshmallow-code/marshmallow/issues/772Issue Tracking, Third Party Advisory
- https://github.com/marshmallow-code/marshmallow/pull/777Third Party Advisory
- https://github.com/marshmallow-code/marshmallow/pull/782Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2018-17175?
How severe is CVE-2018-17175?
How do I fix CVE-2018-17175?
Are you affected by CVE-2018-17175?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST