Analyst readout for executives and security teams
Plain-English summary
Older Django Tastypie versions can mishandle YAML API input in a way that may let a remote attacker run Python code on the server. This matters most for applications still using Tastypie before 0.9.10 and accepting YAML-formatted requests.
Executive priority
Treat as urgent where legacy Tastypie APIs remain reachable, because the impact is server-side code execution. If Tastypie is absent, upgraded, or YAML is not exposed, urgency drops substantially.
Technical view
CVE-2011-4104 affects Django Tastypie before 0.9.10. The from_yaml method in serializers.py used unsafe YAML deserialization through yaml.load, allowing arbitrary Python code execution through malicious YAML data. The supplied sources do not provide CVSS, CWE, or affected CPE metadata.
Likely exposure
Exposure is likely limited to legacy Django applications using django-tastypie before 0.9.10, especially APIs that accept YAML request bodies or deserialize YAML through Tastypie serializers.
Exploitation context
The CVE description states remote arbitrary Python code execution is possible. The provided bundle does not show CISA KEV listing, confirmed active exploitation, public exploit status, or observed in-the-wild activity.
Researcher notes
The strongest evidence is the CVE record, Django security release notice, oss-security discussion, and upstream commit. Metadata is sparse: no CVSS, no CWE, generic affected-product fields, and no KEV signal in the supplied bundle.
Mitigation direction
- Upgrade Django Tastypie to 0.9.10 or later.
- Follow the Django/Tastypie security release guidance from November 2011.
- Disable YAML input support if it is unnecessary and supported by the application design.
- Prioritize internet-facing APIs before internal-only legacy services.
- If upgrading is blocked, review vendor guidance for safe temporary controls.
Validation and detection
- Inventory applications using django-tastypie and record installed versions.
- Confirm no deployed dependency is older than Tastypie 0.9.10.
- Identify APIs that accept YAML content or invoke Tastypie YAML deserialization.
- Review vendored or forked serializers.py copies for unsafe yaml.load usage.
- Run regression tests covering supported API content types after remediation.
Public sources used
Based on public source material and reviewed before publication.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CVE-2011-4104 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Unknown
- CVSS
- Not scored
- Known Exploited
- No
- Published
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS and timeline data
No CVSS vectors or timeline events were available in the normalized CVE source material.
Source materials
- CVE List V5 sourceCVE List V5
- https://groups.google.com/forum/#%21topic/django-tastypie/i2aNGDHTUBICVE reference · x_refsource_CONFIRM
- [oss-security] 20111102 Re: Re: CVE request for Django-piston and TastypieCVE reference · mailing-list, x_refsource_MLIST
- https://www.djangoproject.com/weblog/2011/nov/01/piston-and-tastypie-security-releases/CVE reference · x_refsource_MISC
- https://github.com/toastdriven/django-tastypie/commit/e8af315211b07c8f48f32a063233cc3f76dd5bc2CVE reference · x_refsource_CONFIRM
- [oss-security] 20111102 Re: CVE request for Django-piston and TastypieCVE reference · mailing-list, x_refsource_MLIST
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
