CVE-2018-1000210
Description
YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line "currentType = Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.
Risk Information
Base Score
7.8
MODERATE
Vector
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
0.339
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2018-1000210 are fixed in Nuget - YamlDotNet 5.0.0 | Windows |
| Vulnerabilities CVE-2018-1000210 are fixed in Nuget - YamlDotNet.Signed 5.0.0 | Windows |
| Vulnerabilities CVE-2018-1000210 are fixed in Nuget - YamlDotNet for Linux 5.0.0 | Linux |
| Vulnerabilities CVE-2018-1000210 are fixed in Nuget - YamlDotNet.Signed for Linux 5.0.0 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234