{"id":"CVE-2018-17175","details":"In the marshmallow library before 2.15.1 and 3.x before 3.0.0b9 for Python, the schema \"only\" option treats an empty list as implying no \"only\" option, which allows a request that was intended to expose no fields to instead expose all fields (if the schema is being filtered dynamically using the \"only\" option, and there is a user role that produces an empty value for \"only\").","aliases":["GHSA-9q2p-fj49-vpxj","PYSEC-2018-67"],"modified":"2026-04-09T06:09:35.006476Z","published":"2018-09-18T17:29:01.867Z","related":["MGASA-2019-0065","openSUSE-SU-2024:11238-1","openSUSE-SU-2024:14147-1"],"references":[{"type":"ADVISORY","url":"https://github.com/marshmallow-code/marshmallow/pull/782"},{"type":"ADVISORY","url":"https://github.com/marshmallow-code/marshmallow/pull/777"},{"type":"REPORT","url":"https://github.com/marshmallow-code/marshmallow/issues/772"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/marshmallow-code/marshmallow","events":[{"introduced":"0"},{"fixed":"251bff399786ad827d22c59f1cf4a49cc9aa9afe"},{"introduced":"349213cdf5057a6d1db8cab3f2d6cdf94f18f53e"},{"fixed":"1781e9a18895aa9b473fb5587de3cf922416733e"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.15.1"},{"introduced":"3.0"},{"fixed":"3.0.0b9"}]}}],"versions":["0.1.0","0.2.0","0.2.1","0.3.0","0.3.1","0.4.0","0.4.1","0.5.0","0.5.1","0.5.2","0.5.3","0.5.4","0.5.5","0.6.0","0.7.0","1.0.0","1.2.0","2.0.0","2.0.0a1","2.0.0b1","2.0.0b2","2.0.0b3","2.0.0b4","2.0.0b5","2.0.0rc1","2.0.0rc2","2.1.0","2.10.0","2.10.1","2.10.2","2.10.3","2.10.4","2.11.0","2.11.1","2.12.0","2.12.1","2.12.2","2.13.0","2.13.1","2.13.2","2.13.3","2.13.4","2.13.5","2.13.6","2.14.0","2.15.0","2.2.0","2.3.0","2.4.0","2.4.1","2.5.0","2.6.0","2.7.0","2.7.1","2.7.2","2.8.0","2.9.0","2.9.1","3.0.0a1","3.0.0b1","3.0.0b2","3.0.0b3","3.0.0b4","3.0.0b5","3.0.0b6","3.0.0b7","3.0.0b8"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-17175.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}