ID CVE-2018-17175
Summary In the marshmallow library before 2.15.1 and 3.x before 3.0.0b9 for Python, the schema "only" option treats an empty list as implying no "only" option, which allows a request that was intended to expose no fields to instead expose all fields (if the schema is being filtered dynamically using the "only" option, and there is a user role that produces an empty value for "only").
References
Vulnerable Configurations
  • cpe:2.3:a:marshmallow_project:marshmallow:0.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:0.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:0.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:0.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:0.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:0.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:0.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:0.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:0.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:0.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:0.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:0.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:0.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:0.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:0.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:0.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:0.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:0.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:0.5.2:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:0.5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:0.5.3:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:0.5.3:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:0.5.4:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:0.5.4:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:0.5.5:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:0.5.5:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:0.6.0:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:0.6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:0.7.0:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:0.7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:1.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:1.0.0-a:*:*:*:*:python:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:1.0.0-a:*:*:*:*:python:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:1.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:1.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:1.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:1.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:1.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:1.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:1.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:1.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:1.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:1.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:1.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:1.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:1.2.4:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:1.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:1.2.5:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:1.2.5:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:1.2.6:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:1.2.6:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.0.0a1:*:*:*:*:python:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.0.0a1:*:*:*:*:python:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.0.0b1:*:*:*:*:python:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.0.0b1:*:*:*:*:python:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.0.0b2:*:*:*:*:python:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.0.0b2:*:*:*:*:python:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.0.0b3:*:*:*:*:python:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.0.0b3:*:*:*:*:python:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.0.0b4:*:*:*:*:python:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.0.0b4:*:*:*:*:python:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.0.0b5:*:*:*:*:python:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.0.0b5:*:*:*:*:python:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.0.0rc1:*:*:*:*:python:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.0.0rc1:*:*:*:*:python:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.0.0rc2:*:*:*:*:python:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.0.0rc2:*:*:*:*:python:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.6.0:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.6.1:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.7.0:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.7.1:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.7.2:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.7.3:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.7.3:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.8.0:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.9.0:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.9.1:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.9.1:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.10.0:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.10.0:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.10.1:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.10.1:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.10.2:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.10.2:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.10.3:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.10.3:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.10.4:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.10.4:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.10.5:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.10.5:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.11.0:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.11.0:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.11.1:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.11.1:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.12.0:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.12.0:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.12.1:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.12.1:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.12.2:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.12.2:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.13.0:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.13.0:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.13.1:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.13.1:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.13.2:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.13.2:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.13.3:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.13.3:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.13.4:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.13.4:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.13.5:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.13.5:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.13.6:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.13.6:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.14.0:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:2.15.0:*:*:*:*:*:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:2.15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:3.0.0a1:*:*:*:*:python:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:3.0.0a1:*:*:*:*:python:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:3.0.0b1:*:*:*:*:python:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:3.0.0b1:*:*:*:*:python:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:3.0.0b2:*:*:*:*:python:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:3.0.0b2:*:*:*:*:python:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:3.0.0b3:*:*:*:*:python:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:3.0.0b3:*:*:*:*:python:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:3.0.0b4:*:*:*:*:python:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:3.0.0b4:*:*:*:*:python:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:3.0.0b5:*:*:*:*:python:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:3.0.0b5:*:*:*:*:python:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:3.0.0b6:*:*:*:*:python:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:3.0.0b6:*:*:*:*:python:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:3.0.0b7:*:*:*:*:python:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:3.0.0b7:*:*:*:*:python:*:*
  • cpe:2.3:a:marshmallow_project:marshmallow:3.0.0b8:*:*:*:*:python:*:*
    cpe:2.3:a:marshmallow_project:marshmallow:3.0.0b8:*:*:*:*:python:*:*
CVSS
Base: 5.0 (as of 03-10-2019 - 00:03)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:N/A:N
refmap via4
misc
Last major update 03-10-2019 - 00:03
Published 18-09-2018 - 17:29
Last modified 03-10-2019 - 00:03
Back to Top