Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
- Snyk ID SNYK-DOTNET-YAMLDOTNET-60255
- published 19 Jul 2018
- disclosed 13 Jul 2018
- credit Kurt Boberg
How to fix?
yamldotnet to version 5.0.0 or higher.
yamldotnetprovides low level parsing and emitting of YAML as well as a high level object model similar to XmlDocument.
Affected versions of this package are vulnerable to Arbitrary Code Execution.
Deserializer.Deserialize() function deserializes user-controlled types and blindly instantiates them. An attacker may send a specually crafted yaml file, which will then execute code in the context of the running process.