Description

An issue was discovered in Esoteric YamlBeans through 1.15. It allows untrusted deserialisation to Java classes by default, where the data and class are controlled by the author of the YAML document being processed.

Remediation

References

https://contrastsecurity.com

https://github.com/Contrast-Security-OSS/yamlbeans/blob/main/SECURITY.md

https://github.com/EsotericSoftware

Related Vulnerabilities

CVE-2022-36881 Vulnerability in maven package org.jenkins-ci.plugins:git-client

CVE-2023-24998 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

CVE-2017-12625 Vulnerability in maven package org.apache.hive.hcatalog:hive-hcatalog-core

CVE-2022-29244 Vulnerability in npm package npm

CVE-2016-5388 Vulnerability in maven package org.apache.tomcat:tomcat

Severity

High

Classification

CWE-502 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Third Party Advisory Exploit