Description

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Remediation

References

http://packetstormsecurity.com/files/175095/PyTorch-Model-Server-Registration-Deserialization-Remote-Code-Execution.html

http://www.openwall.com/lists/oss-security/2023/11/19/1

https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479

https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2

https://github.com/mbechler/marshalsec

https://groups.google.com/g/kubernetes-security-announce/c/mwrakFaEdnc

https://security.netapp.com/advisory/ntap-20230818-0015/

https://security.netapp.com/advisory/ntap-20240621-0006/

https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true

Related Vulnerabilities

CVE-2016-10556 Vulnerability in npm package sequelize

CVE-2023-44981 Vulnerability in maven package org.apache.zookeeper:zookeeper

CVE-2019-10360 Vulnerability in maven package org.jenkins-ci.plugins.m2release:m2release

CVE-2023-30513 Vulnerability in maven package org.csanchez.jenkins.plugins:kubernetes

CVE-2021-23574 Vulnerability in npm package js-data

Severity

Critical

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Issue Tracking Third Party Advisory Exploit