Information Exposure Affecting marshmallow package, versions [,2.15.1)[3.0.0a1,3.0.0b9)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.06% (18th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-MARSHMALLOW-72559
  • published4 Nov 2018
  • disclosed19 Apr 2018
  • creditUnknown

Introduced: 19 Apr 2018

CVE-2018-17175  (opens in a new tab)
CWE-200  (opens in a new tab)

How to fix?

Upgrade marshmallow to version 2.15.1, 3.0.0b9

Overview

marshmallow is an ORM/ODM/framework-agnostic library for converting complex datatypes, such as objects, to and from native Python datatypes.

Affected versions of this package are vulnerable to Information Exposure. The schema only option treats an empty list as implying no only option, which allows a request that was intended to expose no fields to instead expose all fields.

CVSS Base Scores

version 3.1