{"id":"MGASA-2019-0065","summary":"Updated python-marshmallow packages fix security vulnerability","details":"In the marshmallow library before 2.15.1 for Python, the schema \"only\"\noption treats an empty list as implying no \"only\" option, which allows a\nrequest that was intended to expose no fields to instead expose all fields\n(if the schema is being filtered dynamically using the \"only\" option, and\nthere is a user role that produces an empty value for \"only\")\n(CVE-2018-17175).\n","modified":"2026-01-31T14:25:22.788250Z","published":"2019-02-13T11:08:25Z","related":["CVE-2018-17175"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2019-0065.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=23703"},{"type":"REPORT","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GCKZAADQI7JJ3ZUN7DSIR2JH3VZEJZDM/"}],"affected":[{"package":{"name":"python-marshmallow","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/python-marshmallow?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.2.1-0.5.gitea1def9.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2019-0065.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}