Description

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Remediation

References

https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2

https://github.com/mbechler/marshalsec

https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true

https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479

https://groups.google.com/g/kubernetes-security-announce/c/mwrakFaEdnc

https://security.netapp.com/advisory/ntap-20230818-0015/

http://packetstormsecurity.com/files/175095/PyTorch-Model-Server-Registration-Deserialization-Remote-Code-Execution.html

http://www.openwall.com/lists/oss-security/2023/11/19/1

https://security.netapp.com/advisory/ntap-20240621-0006/

Related Vulnerabilities

CVE-2022-31180 Vulnerability in npm package shescape

CVE-2020-8910 Vulnerability in maven package org.webjars.npm:google-closure-library

CVE-2021-23507 Vulnerability in npm package object-path-set

CVE-2021-46708 Vulnerability in maven package org.webjars.bower:swagger-ui

CVE-2022-2048 Vulnerability in maven package org.eclipse.jetty.http2:http2-server

Severity

Critical

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory Issue Tracking