Description

An issue was discovered in Esoteric YamlBeans through 1.15. It allows untrusted deserialisation to Java classes by default, where the data and class are controlled by the author of the YAML document being processed.

Remediation

References

https://github.com/Contrast-Security-OSS/yamlbeans/blob/main/SECURITY.md

https://github.com/EsotericSoftware

https://contrastsecurity.com

Related Vulnerabilities

CVE-2023-48711 Vulnerability in maven package org.webjars.npm:google-translate-api-browser

CVE-2022-36083 Vulnerability in npm package jose-node-cjs-runtime

CVE-2017-12629 Vulnerability in maven package org.apache.solr:solr-core

CVE-2023-27087 Vulnerability in maven package com.xuxueli:xxl-job

CVE-2022-24762 Vulnerability in npm package sysend

Severity

High

Classification

CWE-502 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory