bolo-solo SnakeYAML BackupService.java importMarkdownsSync deserialization

A vulnerability has been found in bolo-solo up to 2.6.4. This impacts the function importMarkdownsSync of the file src/main/java/org/b3log/solo/bolo/prop/BackupService.java of the component SnakeYAML. Such manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

可信数据的反序列化

bolo-solo 代码问题漏洞

bolo-solo是bolo-blog开源的一个博客系统。 bolo-solo 2.6.4及之前版本存在代码问题漏洞，该漏洞源于SnakeYAML组件中文件src/main/java/org/b3log/solo/bolo/prop/BackupService.java的函数importMarkdownsSync存在反序列化问题。

N/A

N/A