resteasy-yaml-provider is vulnerable to remote code execution (RCE) attacks. These attacks are possible because of an incomplete fix for CVE-2016-9606
which still uses Yaml.load()
in the YamlProvider
. This issue only affects applications which have the YamlProvider
explicitly enabled by adding or appending a file with the name META-INF/services/javax.ws.rs.ext.Providers
to your WAR, or JAR with the contents org.jboss.resteasy.plugins.providers.YamlProvider
.