logo

Database

Insecure deserialization In opensearch

Description

opensearch-ruby 2.x before 2.0.2 vulnerable to unsafe YAML deserialization

Impact

A YAML deserialization in opensearch-ruby 2.0.0 can lead to unsafe deserialization using YAML.load if the response is of type YAML.

Patches

The problem has been patched in opensearch-ruby gem version 2.0.2.

Workarounds

No viable workaround. Please upgrade to 2.0.2

References

https://github.com/opensearch-project/opensearch-ruby/pull/77 https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated/

For more information

If you have any questions or comments about this advisory:

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2022-311152. NVD-2022-311153. OSV-2022-311154. GHSA-977c-63xq-cgw35. GCVE-2022-311156. GHSA-977c-63xq-cgw3

References

1. https://github.com/opensearch-project/opensearch-ruby/pull/772. https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated/3. https://github.com/opensearch-project/opensearch-ruby/security/advisories/GHSA-977c-63xq-cgw34. https://github.com/opensearch-project/opensearch-ruby/commit/d74a98b45c037671e8819fa87f6a6423458ab08a5. https://github.com/opensearch-project/opensearch-ruby/compare/v2.0.1...v2.0.26. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/opensearch-ruby/CVE-2022-31115.yml7. https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.