CVE-2023-24621 — Esoteric YamlBeans Unsafe Deserialization vulnerability

Description

An issue was discovered in Esoteric YamlBeans through 1.15. It allows untrusted deserialisation to Java classes by default, where the data and class are controlled by the author of the YAML document being processed.

How to fix CVE-2023-24621

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2023-24621 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 1.15

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.8	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-24621
PATCHgithub.com/EsotericSoftware/yamlbeans
WEBcontrastsecurity.com
WEBgithub.com/Contrast-Security-OSS/yamlbeans/blob/main/SECURITY.md
WEBgithub.com/EsotericSoftware