opensearch-ruby is vulnerable to deserialization of untrusted data. The vulnerability exists due to the unsafe deserialization of response.body
data in YAML.load
functionality in the verify_open_search
function of pensearch.rb
CPE | Name | Operator | Version |
---|---|---|---|
opensearch-ruby | le | 2.0.1 | |
opensearch-ruby | le | 2.0.1 |
github.com/opensearch-project/opensearch-ruby/commit/d74a98b45c037671e8819fa87f6a6423458ab08a
github.com/opensearch-project/opensearch-ruby/pull/77
github.com/opensearch-project/opensearch-ruby/pull/82
github.com/opensearch-project/opensearch-ruby/security/advisories/GHSA-977c-63xq-cgw3
staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated/