Vulnerabilities > CVE-2018-17175 - Unspecified vulnerability in Marshmallow Project Marshmallow
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
LOW Integrity impact
NONE Availability impact
NONE Summary
In the marshmallow library before 2.15.1 and 3.x before 3.0.0b9 for Python, the schema "only" option treats an empty list as implying no "only" option, which allows a request that was intended to expose no fields to instead expose all fields (if the schema is being filtered dynamically using the "only" option, and there is a user role that produces an empty value for "only").
Vulnerable Configurations
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2018-8B109A6DE0.NASL description Security fix for CVE-2018-17175 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-10-11 plugin id 118046 published 2018-10-11 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118046 title Fedora 27 : python-marshmallow (2018-8b109a6de0) NASL family Fedora Local Security Checks NASL id FEDORA_2018-9006B64E41.NASL description Security fix for CVE-2018-17175 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120614 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120614 title Fedora 29 : python-marshmallow (2018-9006b64e41) NASL family Fedora Local Security Checks NASL id FEDORA_2018-CC9ADC4808.NASL description Security fix for CVE-2018-17175 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120796 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120796 title Fedora 28 : python-marshmallow (2018-cc9adc4808)
References
- https://github.com/marshmallow-code/marshmallow/issues/772
- https://github.com/marshmallow-code/marshmallow/issues/772
- https://github.com/marshmallow-code/marshmallow/pull/777
- https://github.com/marshmallow-code/marshmallow/pull/777
- https://github.com/marshmallow-code/marshmallow/pull/782
- https://github.com/marshmallow-code/marshmallow/pull/782