Description
JYaml through 1.3 allows remote code execution during deserialization of a malicious payload through the load() function. NOTE: this is a discontinued product.
Remediation
References
https://github.com/mbechler/marshalsec
https://github.com/mbechler/marshalsec/blob/master/marshalsec.pdf
https://gist.github.com/j0lt-github/f5141abcacae63d434ecae211422153a
https://sourceforge.net/p/jyaml/bugs/
https://security.netapp.com/advisory/ntap-20200313-0001/
Related Vulnerabilities
CVE-2020-11620 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind
CVE-2017-18197 Vulnerability in maven package org.webjars.bower:mxgraph
CVE-2018-10936 Vulnerability in maven package org.postgresql:postgresql
CVE-2021-3803 Vulnerability in npm package nth-check
CVE-2017-7545 Vulnerability in maven package org.jbpm:jbpm-designer-backend