Vulnerabilities > CVE-2018-17175 - Unspecified vulnerability in Marshmallow Project Marshmallow

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
marshmallow-project
nessus

Summary

In the marshmallow library before 2.15.1 and 3.x before 3.0.0b9 for Python, the schema "only" option treats an empty list as implying no "only" option, which allows a request that was intended to expose no fields to instead expose all fields (if the schema is being filtered dynamically using the "only" option, and there is a user role that produces an empty value for "only").

Vulnerable Configurations

Part Description Count
Application
Marshmallow_Project
84

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-8B109A6DE0.NASL
    descriptionSecurity fix for CVE-2018-17175 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-10-11
    plugin id118046
    published2018-10-11
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118046
    titleFedora 27 : python-marshmallow (2018-8b109a6de0)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-9006B64E41.NASL
    descriptionSecurity fix for CVE-2018-17175 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2019-01-03
    plugin id120614
    published2019-01-03
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120614
    titleFedora 29 : python-marshmallow (2018-9006b64e41)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-CC9ADC4808.NASL
    descriptionSecurity fix for CVE-2018-17175 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2019-01-03
    plugin id120796
    published2019-01-03
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120796
    titleFedora 28 : python-marshmallow (2018-cc9adc4808)