logo

Database

Insecure deserialization In org.jboss.resteasy:resteasy-yaml-provider

Description

Deserialization of Untrusted Data in org.jboss.resteasy:resteasy-yaml-provider It was found that the fix for CVE-2016-9606 in versions 3.0.22 and 3.1.2 was incomplete and Yaml unmarshalling in Resteasy is still possible via Yaml.load() in YamlProvider.

Mitigation:

If the YamlProvider is enabled it's recommended to add authentication, and authorization to the endpoint expecting Yaml content to prevent exploitation of this vulnerability.

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2018-10512. NVD-2018-10513. OSV-2018-10514. GCVE-2018-1051

References

1. https://github.com/resteasy/resteasy/pull/15552. https://bugzilla.redhat.com/show_bug.cgi?id=15354113. https://bugzilla.redhat.com/show_bug.cgi?id=1539175#c3

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.