SYM_RB_0023 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Deserialization of Untrusted Data
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description
The application is deserializing data from user-controlled environment variables using methods like Marshal.load, Oj.load, or CSV.load. This allows attackers to inject malicious data that could be executed when deserialized.
Impact
An attacker could exploit this vulnerability to execute arbitrary code on the server, potentially compromising sensitive data, gaining unauthorized access, or taking full control of the application and underlying system.