9 matches found
CVE-2018-1000210
YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize will deserialize user-controlled types in the line "currentType = Type.GetTypenodeEvent.Tag.Substring1, throwOnError: false;" and blindly instantiates...
GHSA-RPCH-CQJ9-H65R High severity vulnerability that affects YamlDotNet and YamlDotNet.Signed
YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize will deserialize user-controlled types in the line "currentType = Type.GetTypenodeEvent.Tag.Substring1, throwOnError: false;" and blindly instantiates...
High severity vulnerability that affects YamlDotNet and YamlDotNet.Signed
YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize will deserialize user-controlled types in the line "currentType = Type.GetTypenodeEvent.Tag.Substring1, throwOnError: false;" and blindly instantiates...
Remote Code Execution (RCE)
YamlDotNet is susceptible to remote code execution RCE through insecure direct object references. It can happen because the Deserializer.Deserialize function does not prevent deserialization of user-controlled types currentType = Type.GetTypenodeEvent.Tag.Substring1, throwOnError: false; and crea...
CVE-2018-1000210
YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize will deserialize user-controlled types in the line "currentType = Type.GetTypenodeEvent.Tag.Substring1, throwOnError: false;" and blindly instantiates...
CVE-2018-1000210
YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize will deserialize user-controlled types in the line "currentType = Type.GetTypenodeEvent.Tag.Substring1, throwOnError: false;" and blindly instantiates...
Design/Logic Flaw
YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize will deserialize user-controlled types in the line "currentType = Type.GetTypenodeEvent.Tag.Substring1, throwOnError: false;" and blindly instantiates...
CVE-2018-1000210
YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize will deserialize user-controlled types in the line "currentType = Type.GetTypenodeEvent.Tag.Substring1, throwOnError: false;" and blindly instantiates...
CVE-2018-1000210
YamlDotNet versions 4.3.2 and earlier contain an Insecure Direct Object Reference vulnerability in Deserializer.Deserialize(), which can blindly instantiate user-controlled types via currentType = Type.GetType(...). This can enable code execution in the running process when parsing specially craf...