Description

An issue was discovered in Esoteric YamlBeans through 1.15. It allows untrusted deserialisation to Java classes by default, where the data and class are controlled by the author of the YAML document being processed.

Remediation

References

https://contrastsecurity.com

https://github.com/Contrast-Security-OSS/yamlbeans/blob/main/SECURITY.md

https://github.com/EsotericSoftware

Related Vulnerabilities

CVE-2019-14900 Vulnerability in maven package org.hibernate:hibernate-core

CVE-2016-10664 Vulnerability in npm package mystem

CVE-2022-31051 Vulnerability in npm package semantic-release

CVE-2016-1000346 Vulnerability in maven package org.bouncycastle:bcprov-jdk15on

CVE-2021-21672 Vulnerability in maven package org.jenkins-ci.plugins:seleniumhtmlreport

Severity

High

Classification

CWE-502 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Third Party Advisory Exploit