{"id":"PYSEC-2018-67","details":"In the marshmallow library before 2.15.1 and 3.x before 3.0.0b9 for Python, the schema \"only\" option treats an empty list as implying no \"only\" option, which allows a request that was intended to expose no fields to instead expose all fields (if the schema is being filtered dynamically using the \"only\" option, and there is a user role that produces an empty value for \"only\").","aliases":["CVE-2018-17175","GHSA-9q2p-fj49-vpxj"],"modified":"2023-11-01T04:49:09.661702Z","published":"2018-09-18T17:29:00Z","references":[{"type":"WEB","url":"https://github.com/marshmallow-code/marshmallow/pull/782"},{"type":"WEB","url":"https://github.com/marshmallow-code/marshmallow/pull/777"},{"type":"REPORT","url":"https://github.com/marshmallow-code/marshmallow/issues/772"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-9q2p-fj49-vpxj"}],"affected":[{"package":{"name":"marshmallow","ecosystem":"PyPI","purl":"pkg:pypi/marshmallow"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.15.1"},{"introduced":"3.0a0"},{"fixed":"3.0.0b9"}]}],"versions":["0.1.0","0.2.0","0.2.1","0.3.0","0.3.1","0.4.0","0.4.1","0.5.0","0.5.1","0.5.2","0.5.3","0.5.4","0.5.5","0.6.0","0.7.0","1.0.0","1.0.0-a","1.0.1","1.1.0","1.2.0","1.2.1","1.2.2","1.2.3","1.2.4","1.2.5","1.2.6","2.0.0","2.0.0a1","2.0.0b1","2.0.0b2","2.0.0b3","2.0.0b4","2.0.0b5","2.0.0rc1","2.0.0rc2","2.1.0","2.1.1","2.1.2","2.1.3","2.10.0","2.10.1","2.10.2","2.10.3","2.10.4","2.10.5","2.11.0","2.11.1","2.12.0","2.12.1","2.12.2","2.13.0","2.13.1","2.13.2","2.13.3","2.13.4","2.13.5","2.13.6","2.14.0","2.15.0","2.2.0","2.2.1","2.3.0","2.4.0","2.4.1","2.4.2","2.5.0","2.6.0","2.6.1","2.7.0","2.7.1","2.7.2","2.7.3","2.8.0","2.9.0","2.9.1","3.0.0a1","3.0.0b1","3.0.0b2","3.0.0b3","3.0.0b4","3.0.0b5","3.0.0b6","3.0.0b7","3.0.0b8"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/marshmallow/PYSEC-2018-67.yaml"}}],"schema_version":"1.7.3"}