org.yamcs:yamcs-core 5.12.6

Direct Vulnerabilities

Known vulnerabilities in the org.yamcs:yamcs-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
C Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') Affected versions of this package are vulnerable to Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') via the `updateAlgorithm` process. An attacker can execute arbitrary code on the server by supplying crafted JavaScript payloads that are evaluated without restriction. Note: This is only exploitable if the deployment is running in the default configuration without a `security.yaml` file, or if a user has been granted the `ChangeMissionDatabase` privilege. How to fix Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')? Upgrade `org.yamcs:yamcs-core` to version 5.12.7 or higher.	[,5.12.7)
C Arbitrary Code Injection Affected versions of this package are vulnerable to Arbitrary Code Injection via the dynamic evaluation of user-supplied algorithm code in the script evaluation engine. An attacker can execute arbitrary operating system commands by injecting malicious Jython code through the REST API when authenticated with the required privileges. Note: This is only exploitable if the attacker has the `ChangeMissionDatabase` privilege and the Jython engine is present in the classpath, and there is an existing algorithm with its language set to Python. How to fix Arbitrary Code Injection? Upgrade `org.yamcs:yamcs-core` to version 5.12.7 or higher.	[,5.12.7)
H Brute Force Affected versions of this package are vulnerable to Brute Force through the `handleToken` process. An attacker can gain unauthorized access to user accounts by performing unlimited authentication attempts without restriction. How to fix Brute Force? Upgrade `org.yamcs:yamcs-core` to version 5.12.7 or higher.	[,5.12.7)
C Arbitrary Code Injection Affected versions of this package are vulnerable to Arbitrary Code Injection in the `JavaExprAlgorithmExecutionFactory` process. An attacker can execute arbitrary code on the underlying operating system by injecting malicious Java expressions through the REST API when authenticated with the `ChangeMissionDatabase` privilege. Note: This is only exploitable if the attacker possesses valid credentials with the required privilege and can access a running instance with an active processor. How to fix Arbitrary Code Injection? Upgrade `org.yamcs:yamcs-core` to version 5.12.7 or higher.	[,5.12.7)
M Missing Authorization Affected versions of this package are vulnerable to Missing Authorization in the IAM API endpoints, including `listUsers`, `getUser`, `listGroups`, and `getGroup`. An attacker can retrieve sensitive user information, such as usernames, superuser status, and group memberships, by sending authenticated requests to these endpoints without possessing elevated privileges. How to fix Missing Authorization? Upgrade `org.yamcs:yamcs-core` to version 5.12.7 or higher.	[,5.12.7)
M LDAP Injection Affected versions of this package are vulnerable to LDAP Injection via the `LdapAuthModule` process. An attacker can gain unauthorized access to user accounts by injecting specially crafted input into the username parameter during LDAP authentication. Note: This is only exploitable if the deployment uses `org.yamcs.security.LdapAuthModule` in the `etc/security.yaml` configuration file. How to fix LDAP Injection? Upgrade `org.yamcs:yamcs-core` to version 5.12.7 or higher.	[,5.12.7)
M Improper Restriction of Rendered UI Layers or Frames Affected versions of this package are vulnerable to Improper Restriction of Rendered UI Layers or Frames allowing an attacker to create a website that would encourage the user to perform specific actions. This type of vulnerability can have an exceptionally high impact on control systems, such as this package. How to fix Improper Restriction of Rendered UI Layers or Frames? There is no fixed version for `org.yamcs:yamcs-core`.	[0,)

Vulnerability

Vulnerable Version

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

Affected versions of this package are vulnerable to Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') via the updateAlgorithm process. An attacker can execute arbitrary code on the server by supplying crafted JavaScript payloads that are evaluated without restriction.

Note:

This is only exploitable if the deployment is running in the default configuration without a security.yaml file, or if a user has been granted the ChangeMissionDatabase privilege.

How to fix Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')?

Upgrade org.yamcs:yamcs-core to version 5.12.7 or higher.

[,5.12.7)

Arbitrary Code Injection

Affected versions of this package are vulnerable to Arbitrary Code Injection via the dynamic evaluation of user-supplied algorithm code in the script evaluation engine. An attacker can execute arbitrary operating system commands by injecting malicious Jython code through the REST API when authenticated with the required privileges.

Note:

This is only exploitable if the attacker has the ChangeMissionDatabase privilege and the Jython engine is present in the classpath, and there is an existing algorithm with its language set to Python.

How to fix Arbitrary Code Injection?

Upgrade org.yamcs:yamcs-core to version 5.12.7 or higher.

[,5.12.7)

Brute Force

Affected versions of this package are vulnerable to Brute Force through the handleToken process. An attacker can gain unauthorized access to user accounts by performing unlimited authentication attempts without restriction.

How to fix Brute Force?

Upgrade org.yamcs:yamcs-core to version 5.12.7 or higher.

[,5.12.7)

Arbitrary Code Injection

Affected versions of this package are vulnerable to Arbitrary Code Injection in the JavaExprAlgorithmExecutionFactory process. An attacker can execute arbitrary code on the underlying operating system by injecting malicious Java expressions through the REST API when authenticated with the ChangeMissionDatabase privilege.

Note:

This is only exploitable if the attacker possesses valid credentials with the required privilege and can access a running instance with an active processor.

How to fix Arbitrary Code Injection?

Upgrade org.yamcs:yamcs-core to version 5.12.7 or higher.

[,5.12.7)

Missing Authorization

Affected versions of this package are vulnerable to Missing Authorization in the IAM API endpoints, including listUsers, getUser, listGroups, and getGroup. An attacker can retrieve sensitive user information, such as usernames, superuser status, and group memberships, by sending authenticated requests to these endpoints without possessing elevated privileges.

How to fix Missing Authorization?

Upgrade org.yamcs:yamcs-core to version 5.12.7 or higher.

[,5.12.7)

LDAP Injection

Affected versions of this package are vulnerable to LDAP Injection via the LdapAuthModule process. An attacker can gain unauthorized access to user accounts by injecting specially crafted input into the username parameter during LDAP authentication.

Note:

This is only exploitable if the deployment uses org.yamcs.security.LdapAuthModule in the etc/security.yaml configuration file.

How to fix LDAP Injection?

Upgrade org.yamcs:yamcs-core to version 5.12.7 or higher.

[,5.12.7)

Improper Restriction of Rendered UI Layers or Frames

Affected versions of this package are vulnerable to Improper Restriction of Rendered UI Layers or Frames allowing an attacker to create a website that would encourage the user to perform specific actions. This type of vulnerability can have an exceptionally high impact on control systems, such as this package.

How to fix Improper Restriction of Rendered UI Layers or Frames?

There is no fixed version for org.yamcs:yamcs-core.

[0,)

org.yamcs:yamcs-core@5.12.6

latest version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically