logo
DATABASE RESOURCES PRICING ABOUT US

Deserialization of Untrusted Data in org.jboss.resteasy:resteasy-yaml-provider

Description

It was found that the fix for CVE-2016-9606 in versions 3.0.22 and 3.1.2 was incomplete and Yaml unmarshalling in Resteasy is still possible via `Yaml.load()` in YamlProvider. #### Mitigation: If the YamlProvider is enabled it's recommended to add authentication, and authorization to the endpoint expecting Yaml content to prevent exploitation of this vulnerability.


Affected Software


CPE Name Name Version
org.jboss.resteasy:resteasy-yaml-provider 3.1.0.Final
org.jboss.resteasy:resteasy-yaml-provider 3.1.1.Final
org.jboss.resteasy:resteasy-yaml-provider 3.1.2.Final
org.jboss.resteasy:resteasy-yaml-provider 3.1.3.Final
org.jboss.resteasy:resteasy-yaml-provider 3.1.4.Final
org.jboss.resteasy:resteasy-yaml-provider 3.5.0.CR1
org.jboss.resteasy:resteasy-yaml-provider 3.5.0.CR2
org.jboss.resteasy:resteasy-yaml-provider 3.5.0.CR3
org.jboss.resteasy:resteasy-yaml-provider 3.5.0.CR4
org.jboss.resteasy:resteasy-yaml-provider 3.5.0.Final
org.jboss.resteasy:resteasy-yaml-provider 3.5.1.Final
org.jboss.resteasy:resteasy-yaml-provider 3.6.0.CR1

Related