Description

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Remediation

References

http://packetstormsecurity.com/files/175095/PyTorch-Model-Server-Registration-Deserialization-Remote-Code-Execution.html

http://www.openwall.com/lists/oss-security/2023/11/19/1

https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479

https://confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-in-multiple-products-1296171009.html

https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2

https://github.com/mbechler/marshalsec

https://groups.google.com/g/kubernetes-security-announce/c/mwrakFaEdnc

https://infosecwriteups.com/%EF%B8%8F-inside-the-160-comment-fight-to-fix-snakeyamls-rce-default-1a20c5ca4d4c

https://security.netapp.com/advisory/ntap-20230818-0015/

https://security.netapp.com/advisory/ntap-20240621-0006/

https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true

Related Vulnerabilities

CVE-2020-6458 Vulnerability in maven package org.webjars.npm:electron

CVE-2023-26473 Vulnerability in maven package org.xwiki.platform:xwiki-platform-query-manager

CVE-2021-27515 Vulnerability in maven package org.webjars.bowergithub.unshiftio:url-parse

CVE-2020-2193 Vulnerability in maven package io.jenkins.plugins:echarts-api

CVE-2018-20676 Vulnerability in maven package org.webjars.bower:bootstrap

Severity

Critical

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Issue Tracking Third Party Advisory Exploit