CVE-2023-24621

An issue was discovered in Esoteric YamlBeans through 1.15. It allows untrusted deserialisation to Java classes by default, where the data and class are controlled by the author of the YAML document being processed.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://contrastsecurity.com	Third Party Advisory
https://github.com/Contrast-Security-OSS/yamlbeans/blob/main/SECURITY.md	Exploit Third Party Advisory
https://github.com/EsotericSoftware	Third Party Advisory
https://contrastsecurity.com	Third Party Advisory
https://github.com/Contrast-Security-OSS/yamlbeans/blob/main/SECURITY.md	Exploit Third Party Advisory
https://github.com/EsotericSoftware	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:esotericsoftware:yamlbeans:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-08-25 20:15

Updated : 2024-11-21 07:48

NVD link : CVE-2023-24621

Mitre link : CVE-2023-24621

CVE.ORG link : CVE-2023-24621

JSON object : View

Products Affected

esotericsoftware

yamlbeans

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2023-24621", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2023-08-25T20:15:07.983", "references": [{"url": "https://contrastsecurity.com", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/Contrast-Security-OSS/yamlbeans/blob/main/SECURITY.md", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/EsotericSoftware", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://contrastsecurity.com", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/Contrast-Security-OSS/yamlbeans/blob/main/SECURITY.md", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/EsotericSoftware", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Esoteric YamlBeans through 1.15. It allows untrusted deserialisation to Java classes by default, where the data and class are controlled by the author of the YAML document being processed."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en YamlBeans de Esoteric a trav\u00e9s de 1.15. Permite la deserializaci\u00f3n no confiable a clases Java de forma predeterminada, donde los datos y la clase son controlados por el autor del documento YAML que se est\u00e1 procesando.\n"}], "lastModified": "2024-11-21T07:48:14.927", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:esotericsoftware:yamlbeans:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AA60B6AE-695A-4791-88C5-576BDEEA4FE4", "versionEndIncluding": "1.15"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}