Описание
Deserialization of Untrusted Data in org.jboss.resteasy:resteasy-yaml-provider
It was found that the fix for CVE-2016-9606 in versions 3.0.22 and 3.1.2 was incomplete and Yaml unmarshalling in Resteasy is still possible via Yaml.load() in YamlProvider.
Mitigation:
If the YamlProvider is enabled it's recommended to add authentication, and authorization to the endpoint expecting Yaml content to prevent exploitation of this vulnerability.
Пакеты
org.jboss.resteasy:resteasy-yaml-provider
< 3.0.26.Final
3.0.26.Final
org.jboss.resteasy:resteasy-yaml-provider
>= 3.1.0, < 3.6.0.Final
3.6.0.Final
Связанные уязвимости
It was found that the fix for CVE-2016-9606 in versions 3.0.22 and 3.1.2 was incomplete and Yaml unmarshalling in Resteasy is still possible via `Yaml.load()` in YamlProvider.
It was found that the fix for CVE-2016-9606 in versions 3.0.22 and 3.1.2 was incomplete and Yaml unmarshalling in Resteasy is still possible via `Yaml.load()` in YamlProvider.
It was found that the fix for CVE-2016-9606 in versions 3.0.22 and 3.1.2 was incomplete and Yaml unmarshalling in Resteasy is still possible via `Yaml.load()` in YamlProvider.
It was found that the fix for CVE-2016-9606 in versions 3.0.22 and 3.1 ...