Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Arbitrary Code Execution SNYK-JAVA-ORGYAML-3152153 #538

Open
github-actions bot opened this issue Dec 12, 2022 · 0 comments
Open

Arbitrary Code Execution SNYK-JAVA-ORGYAML-3152153 #538

github-actions bot opened this issue Dec 12, 2022 · 0 comments

Comments

@github-actions
Copy link

Overview

org.yaml:snakeyaml is a YAML 1.1 parser and emitter for Java.

Affected versions of this package are vulnerable to Arbitrary Code Execution in the Constructor class, which does not restrict which types can be deserialized. This vulnerability is exploitable by an attacker who provides a malicious YAML file for deserialization, which circumvents the SafeConstructor class.

The maintainers of the library contend that the application's trust would already have had to be compromised or established and therefore dispute the risk associated with this issue on the basis that there is a high bar for exploitation. Thus, no fix is expected.

NOTE: This advisory is subject to change as we investigate the practicality of exploitation.

Remediation

There is no fixed version for org.yaml:snakeyaml.

References

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

0 participants