SYM_JAVA_0056 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Deserialization of Untrusted Data
| Property | Value |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description
Using the default SnakeYAML Yaml() constructor without specifying a safe or custom constructor allows loading YAML files with potentially dangerous object types. This can make your application vulnerable to deserialization attacks when processing untrusted YAML input.
Impact
If exploited, an attacker could craft malicious YAML files that, when loaded, execute arbitrary code or perform unauthorized actions on your server. This could lead to data breaches, system compromise, or further attacks within your organization.