Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Unsafe YAML deserialization in opensearch-ruby
Vulnerability Description
opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. In versions prior to 2.0.1 the ruby `YAML.load` function was used instead of `YAML.safe_load`. As a result opensearch-ruby 2.0.0 and prior can lead to unsafe deserialization using YAML.load if the response is of type YAML. An attacker must be in control of an opensearch server and convince the victim to connect to it in order to exploit this vulnerability. The problem has been patched in opensearch-ruby gem version 2.0.1. Users are advised to upgrade. There are no known workarounds for this issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Vulnerability Type
可信数据的反序列化
Vulnerability Title
opensearch-ruby 代码问题漏洞
Vulnerability Description
opensearch-ruby是opensearch-project开源的一个用于 OpenSearch 的 Ruby 客户端。 opensearch-ruby存在代码问题漏洞,该漏洞源于在 2.0.1 之前的版本中,使用 ruby `YAML.load` 函数而不是 `YAML.safe_load`。因此,如果响应是 YAML 类型,opensearch-ruby 2.0.0 和之前的版本可能会导致使用 YAML.load 进行不安全的反序列化。 攻击者必须控制一个 opensearch 服务器并说服受
CVSS Information
N/A
Vulnerability Type
N/A