CVE-2020-1747: 
Python vulnerability analysis and mitigation

A critical vulnerability (CVE-2020-1747) was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. The vulnerability was discovered in February 2020 and fixed in version 5.3.1 released on March 18, 2020 (NVD, GitHub PR).

The vulnerability exists in the FullLoader python/object/new constructor, implemented by construct_python_object_apply, which has support for setting the state of a deserialized instance through the set_python_instance_state method. After setting the state, some operations are performed on the instance to complete its initialization, however, an attacker could set the instance's state in such a way that arbitrary code is executed by the FullLoader. The vulnerability has a CVSS v3.1 base score of 9.8 CRITICAL with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD, Red Hat).

Applications that use the PyYAML library to process untrusted input may be vulnerable to this flaw. An attacker could exploit this vulnerability to execute arbitrary code on the system by abusing the python/object/new constructor (NVD).

The recommended mitigation is to use yaml.safe_load or the SafeLoader when parsing untrusted input. For long-term remediation, users should upgrade to PyYAML version 5.3.1 or later. Users who need special attributes being set in the state of a deserialized object can still do it through the UnsafeLoader, which however should not be used on untrusted input (GitHub PR).