Описание
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).
Отчет
In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml's SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker's control. Due to that the impact for RHPAM is reduced to Low. Red Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml's Constructor class nor pass untrusted data to this class. When this class is used, it’s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| A-MQ Clients 2 | snakeyaml | Affected | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/elasticsearch6-rhel8 | Not affected | ||
| Red Hat AMQ Broker 7 | snakeyaml | Not affected | ||
| Red Hat A-MQ Online | snakeyaml | Not affected | ||
| Red Hat build of Apache Camel for Spring Boot 3 | snakeyaml | Affected | ||
| Red Hat build of Apicurio Registry 2 | snakeyaml | Not affected | ||
| Red Hat build of Debezium 1 | snakeyaml | Not affected | ||
| Red Hat build of OpenJDK 11 | snakeyaml | Not affected | ||
| Red Hat Data Grid 8 | snakeyaml | Will not fix | ||
| Red Hat Decision Manager 7 | snakeyaml | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
9.8 Critical
CVSS3
Связанные уязвимости
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
SnakeYaml's Constructor() class does not restrict types which can be i ...
SnakeYaml Constructor Deserialization Remote Code Execution
EPSS
9.8 Critical
CVSS3