Description

An issue was discovered in Esoteric YamlBeans through 1.15. It allows untrusted deserialisation to Java classes by default, where the data and class are controlled by the author of the YAML document being processed.

Remediation

References

https://contrastsecurity.com

https://github.com/Contrast-Security-OSS/yamlbeans/blob/main/SECURITY.md

https://github.com/EsotericSoftware

Related Vulnerabilities

CVE-2022-0673 Vulnerability in maven package org.eclipse.lemminx:lemminx-parent

CVE-2018-8006 Vulnerability in maven package org.apache.activemq:activemq-web-console

CVE-2022-29172 Vulnerability in npm package auth0-lock

CVE-2023-46122 Vulnerability in maven package org.scala-sbt:io_2.12

CVE-2022-31147 Vulnerability in maven package org.webjars:jquery-validation

Severity

High

Classification

CWE-502 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Third Party Advisory Exploit