Vulnerability	Vulnerable Version
M Arbitrary Code Execution org.yaml:snakeyaml is a YAML 1.1 parser and emitter for Java. Affected versions of this package are vulnerable to Arbitrary Code Execution in the `Constructor` class, which does not restrict which types can be deserialized. This vulnerability is exploitable by an attacker who provides a malicious YAML file for deserialization, which circumvents the `SafeConstructor` class. The maintainers of the library contend that the application's trust would already have had to be compromised or established and therefore dispute the risk associated with this issue on the basis that there is a high bar for exploitation. How to fix Arbitrary Code Execution? Upgrade `org.yaml:snakeyaml` to version 2.0 or higher.	[0,2.0)

Arbitrary Code Execution

org.yaml:snakeyaml is a YAML 1.1 parser and emitter for Java.

Affected versions of this package are vulnerable to Arbitrary Code Execution in the Constructor class, which does not restrict which types can be deserialized. This vulnerability is exploitable by an attacker who provides a malicious YAML file for deserialization, which circumvents the SafeConstructor class.

The maintainers of the library contend that the application's trust would already have had to be compromised or established and therefore dispute the risk associated with this issue on the basis that there is a high bar for exploitation.

How to fix Arbitrary Code Execution?

Upgrade org.yaml:snakeyaml to version 2.0 or higher.

[0,2.0)

Go back to all versions of this package