PT-2019-20028 · Js Yaml · Js-Yaml
Publicado
2019-06-04
·
Atualizado
2019-06-04
Nenhuma
Não há classificações de severidade ou métricas disponíveis. Quando houver, atualizaremos as informações correspondentes na página.
Name of the Vulnerable Software and Affected Versions
js-yaml versions prior to 3.13.1
Description
The issue allows for code injection through malicious YAML files. The
load() function may execute arbitrary code when it encounters objects with toString as a key and JavaScript code as a value, used as explicit mapping keys. This enables attackers to execute supplied code. The safeLoad() function is not affected.Recommendations
Upgrade to version 3.13.1. As a temporary workaround, consider avoiding the use of the
load() function with untrusted YAML files until the issue is resolved. Restrict access to potentially malicious YAML files to minimize the risk of exploitation.Code Injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Js-Yaml