1. Home
  2. Security Advisories
  3. Maven
  4. MAVEN:GHSA-M2FV-3RQM-G7P5

[MAVEN:GHSA-M2FV-3RQM-G7P5] Deserialization of Untrusted Data in org.jboss.resteasy:resteasy-yaml-provider

Severity High
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages References Vulnerabilities

It was found that the fix for CVE-2016-9606 in versions 3.0.22 and 3.1.2 was incomplete and Yaml unmarshalling in Resteasy is still possible via Yaml.load() in YamlProvider.

Mitigation:

If the YamlProvider is enabled it's recommended to add authentication, and authorization to the endpoint expecting Yaml content to prevent exploitation of this vulnerability.

Package Affected Version
pkg:maven/org.jboss.resteasy/resteasy-yaml-provider >= 3.1.0, < 3.6.0.Final
pkg:maven/org.jboss.resteasy/resteasy-yaml-provider < 3.0.26.Final
Package Fixed Version
pkg:maven/org.jboss.resteasy/resteasy-yaml-provider = 3.6.0.Final
pkg:maven/org.jboss.resteasy/resteasy-yaml-provider = 3.0.26.Final
ID
MAVEN:GHSA-M2FV-3RQM-G7P5
Severity
high
URL
https://github.com/advisories/GHSA-m2fv-3rqm-g7p5
Published
2022-05-13T01:33:34
(2 years ago)
Modified
2023-01-30T05:01:09
(19 months ago)
Rights
Maven Security Team
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jboss.resteasy/resteasy-yaml-provider org.jboss.resteasy resteasy-yaml-provider >= 3.1.0 < 3.6.0.Final
Fixed pkg:maven/org.jboss.resteasy/resteasy-yaml-provider org.jboss.resteasy resteasy-yaml-provider = 3.6.0.Final
Affected pkg:maven/org.jboss.resteasy/resteasy-yaml-provider org.jboss.resteasy resteasy-yaml-provider < 3.0.26.Final
Fixed pkg:maven/org.jboss.resteasy/resteasy-yaml-provider org.jboss.resteasy resteasy-yaml-provider = 3.0.26.Final
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date