Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line "currentType = Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
YamlDotNet 安全漏洞
Vulnerability Description
YamlDotNet是一个YAML(标记语言)的.NET库,它主要提供YAML的低级解析和发送,并包括一个序列化库。 YamlDotNet 4.3.2及之前版本中的‘Deserializer()’函数的默认行为存在安全漏洞,该漏洞源于程序没有安全的实例化‘currentType = Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);’行中由用户控制的类型。攻击者可借助特制的YAML文件利用该漏洞执行代码。
CVSS Information
N/A
Vulnerability Type
N/A