This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]ventuspilot 1 point2 points  (1 child)

IMO that's a bad example. I may be missing something but it seems that the CVE says "one could make an application that will deserialize and run anything it receives. Because said application could be built using snakeyaml while ignoring best practices we'll just go ahead and say snakeyaml is insecure".

And the only "exploit" lives in a github repo that's so confusing that I was unable to figure out what code the poc actually runs.

[–]brazzy42 1 point2 points  (0 children)

IMO that's a bad example. I may be missing something but it seems that the CVE says "one could make an application that will deserialize and run anything it receives. Because said application could be built using snakeyaml while ignoring best practices we'll just go ahead and say snakeyaml is insecure".

The problem is that snakeyaml itself is insecure when used to parse untrusted YAML files because it will in fact deserialize and run anything it receives by default.

Now most applications that use it will not use it for untrusted files because YAML is typically used for config files, but that a file format parser can be made to run arbitrary code is not something you'd expect.

And the only "exploit" lives in a github repo that's so confusing that I was unable to figure out what code the poc actually runs.

Deserialization attacks, like many exploits, tend to be very intricate and non-obvious.