You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Affected versions of this package are vulnerable to Arbitrary Code Execution in the Constructor class, which does not restrict which types can be deserialized. This vulnerability is exploitable by an attacker who provides a malicious YAML file for deserialization, which circumvents the SafeConstructor class.
The maintainers of the library contend that the application's trust would already have had to be compromised or established and therefore dispute the risk associated with this issue on the basis that there is a high bar for exploitation. Thus, no fix is expected.
NOTE: This advisory is subject to change as we investigate the practicality of exploitation.
Overview
org.yaml:snakeyaml is a YAML 1.1 parser and emitter for Java.
Affected versions of this package are vulnerable to Arbitrary Code Execution in the
Constructor
class, which does not restrict which types can be deserialized. This vulnerability is exploitable by an attacker who provides a malicious YAML file for deserialization, which circumvents theSafeConstructor
class.The maintainers of the library contend that the application's trust would already have had to be compromised or established and therefore dispute the risk associated with this issue on the basis that there is a high bar for exploitation. Thus, no fix is expected.
NOTE: This advisory is subject to change as we investigate the practicality of exploitation.
Remediation
There is no fixed version for
org.yaml:snakeyaml
.References
The text was updated successfully, but these errors were encountered: