Description

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Remediation

References

http://packetstormsecurity.com/files/175095/PyTorch-Model-Server-Registration-Deserialization-Remote-Code-Execution.html

http://www.openwall.com/lists/oss-security/2023/11/19/1

https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479

https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2

https://github.com/mbechler/marshalsec

https://groups.google.com/g/kubernetes-security-announce/c/mwrakFaEdnc

https://security.netapp.com/advisory/ntap-20230818-0015/

https://security.netapp.com/advisory/ntap-20240621-0006/

https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true

Related Vulnerabilities

CVE-2023-6563 Vulnerability in maven package org.keycloak:keycloak-model-jpa

CVE-2020-14062 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2022-1243 Vulnerability in maven package org.webjars.bower:urijs

CVE-2020-10718 Vulnerability in maven package org.wildfly.core:wildfly-embedded

CVE-2023-37909 Vulnerability in maven package org.xwiki.platform:xwiki-platform-menu-ui

Severity

Critical

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Issue Tracking Third Party Advisory Exploit