Lucene search
GitHub Advisory DatabaseGHSA-XXVW-45RP-3MJ2HistoryOct 24, 2017 - 6:33 p.m.
Deserialization Code Execution in js-yaml
2017-10-2418:33:37
CWE-20
GitHub Advisory Database
github.com
24
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.942 High
EPSS
Percentile
99.2%
Versions 2.0.4 and earlier of js-yaml are affected by a code execution vulnerability in the YAML deserializer.
Proof of Concept
const yaml = require('js-yaml');
const x = `test: !!js/function >
function f() {
console.log(1);
}();`
yaml.load(x);
Recommendation
Update js-yaml to version 2.0.5 or later, and ensure that all instances where the .load() method is called are updated to use .safeLoad() instead.
Related
packetstorm
packetstorm
Nodejs js-yaml load() Code Execution
2013-09-25 00:00:00
osv
osv
Deserialization Code Execution in js-yaml
2017-10-24 18:33:37
prion
prion
Code injection
2013-06-28 14:55:00
nodejs
nodejs
Deserialization Code Execution
2015-10-17 19:41:46
zdt
zdt
Nodejs js-yaml load() Code Execution Vulnerability
2013-09-26 00:00:00
checkpoint_advisories
checkpoint_advisories
Nodejs js-yaml load() Code Execution (CVE-2013-4660)
2013-12-22 00:00:00
cve
cve
CVE-2013-4660
2013-06-28 14:55:00
securityvulns
securityvulns
[oss-security] CVE request: various NodeJS module vulnerabilities
2014-05-15 00:00:00
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.942 High
EPSS
Percentile
99.2%
Related for GHSA-XXVW-45RP-3MJ2