Description

An issue was discovered in Esoteric YamlBeans through 1.15. It allows untrusted deserialisation to Java classes by default, where the data and class are controlled by the author of the YAML document being processed.

Remediation

References

https://contrastsecurity.com

https://github.com/Contrast-Security-OSS/yamlbeans/blob/main/SECURITY.md

https://github.com/EsotericSoftware

Related Vulnerabilities

CVE-2022-23464 Vulnerability in maven package com.nepxion:discovery-plugin-admin-center

CVE-2020-10683 Vulnerability in maven package org.dom4j:dom4j

CVE-2015-6524 Vulnerability in maven package org.apache.activemq:activemq-all

CVE-2018-25079 Vulnerability in npm package is-url

CVE-2019-14893 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

Severity

High

Classification

CWE-502 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Third Party Advisory Exploit