{"url":"http://public2.vulnerablecode.io/api/packages/10444?format=json","purl":"pkg:pypi/mlalchemy@0.1.2","type":"pypi","namespace":"","name":"mlalchemy","version":"0.1.2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"0.2.2","latest_non_vulnerable_version":"0.2.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35139?format=json","vulnerability_id":"VCID-kphr-jpjm-73dw","summary":"An exploitable vulnerability exists in the YAML parsing functionality in the parse_yaml_query method in parser.py in MLAlchemy before 0.2.2. When processing YAML-Based queries for data, a YAML parser can execute arbitrary Python commands resulting in command execution because load is used where safe_load should have been used. An attacker can insert Python into loaded YAML to trigger this vulnerability.","references":[{"reference_url":"https://github.com/advisories/GHSA-xpm8-98mx-h4c5","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-xpm8-98mx-h4c5"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/mlalchemy/PYSEC-2017-19.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/mlalchemy/PYSEC-2017-19.yaml"},{"reference_url":"https://github.com/thanethomson/MLAlchemy","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/thanethomson/MLAlchemy"},{"reference_url":"https://github.com/thanethomson/MLAlchemy/commit/bc795757febdcce430d89f9d08f75c32d6989d3c","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/thanethomson/MLAlchemy/commit/bc795757febdcce430d89f9d08f75c32d6989d3c"},{"reference_url":"https://github.com/thanethomson/MLAlchemy/issues/1","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/thanethomson/MLAlchemy/issues/1"},{"reference_url":"https://joel-malwarebenchmark.github.io/blog/2017/11/08/cve-2017-16615-critical-restful-web-applications-vulnerability/","reference_id":"","reference_type":"","scores":[],"url":"https://joel-malwarebenchmark.github.io/blog/2017/11/08/cve-2017-16615-critical-restful-web-applications-vulnerability/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-16615","reference_id":"CVE-2017-16615","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-16615"},{"reference_url":"https://joel-malwarebenchmark.github.io/blog/2017/11/08/cve-2017-16615-critical-restful-web-applications-vulnerability","reference_id":"CVE-2017-16615-CRITICAL-RESTFUL-WEB-APPLICATIONS-VULNERABILITY","reference_type":"","scores":[],"url":"https://joel-malwarebenchmark.github.io/blog/2017/11/08/cve-2017-16615-critical-restful-web-applications-vulnerability"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/10448?format=json","purl":"pkg:pypi/mlalchemy@0.2.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/mlalchemy@0.2.2"}],"aliases":["CVE-2017-16615","GHSA-xpm8-98mx-h4c5","PYSEC-2017-19"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kphr-jpjm-73dw"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/mlalchemy@0.1.2"}