Last active
December 17, 2020 16:15
-
-
Save j0lt-github/f5141abcacae63d434ecae211422153a to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Description: JYaml through 1.3 allows remote code execution during deserialization of a malicious payload through the load() function. NOTE: this is a discontinued product. | |
VulnerabilityType: CWE-502: Deserialization of Untrusted Data | |
Vendor of Product: http://jyaml.sourceforge.net (see yaml.org) | |
Affected Product Code Base: jyaml Java library | |
Attack Type: Remote | |
Impact Code execution : True | |
Credits: Manmeet Singh and Ashish Kukreti | |
Attack Vectors : The jyaml can be exploited by deserialization of malicious YAML payload with default load() function of its object. The payload can be easily generated by this payload generator: | |
https://github.com/mbechler/marshalsec | |
and passed to load function | |
like Object object = Yaml.load(new File("object.yml")); | |
it will certainly execute command. | |
Reference : | |
https://github.com/mbechler/marshalsec | |
https://github.com/mbechler/marshalsec/blob/master/marshalsec.pdf | |
https://sourceforge.net/p/jyaml/bugs/ | |
Has vendor confirmed or acknowledged the vulnerability? : Yes | |
Discoverer : Manmeet Singh and Ashish Kukreti |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment