PT-2018-9931 · Red Hat · Resteasy

Adam Mariš

Published

2018-01-25

Updated

2022-05-13

CVE-2018-1051

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: Resteasy versions 3.0.22 and 3.1.2

Description: The issue is related to incomplete fixing of a previous problem in Yaml unmarshalling within Resteasy, allowing it to still occur via Yaml.load() in YamlProvider.

Recommendations: For versions 3.0.22 and 3.1.2, if the YamlProvider is enabled, add authentication and authorization to the endpoint expecting Yaml content to prevent exploitation of this issue.

Fix

Deserialization of Untrusted Data

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502CWE-20

Related Identifiers

CVE-2018-1051

GHSA-M2FV-3RQM-G7P5

Affected Products

Resteasy

PT-2018-9931 · Red Hat · Resteasy

CVE-2018-1051

Weakness Enumeration

Related Identifiers

Affected Products

References · 9