{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-24621", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-10-02T18:06:24.584Z", "dateReserved": "2023-01-30T00:00:00", "datePublished": "2023-08-25T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-08-25T19:49:52.308018"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in Esoteric YamlBeans through 1.15. It allows untrusted deserialisation to Java classes by default, where the data and class are controlled by the author of the YAML document being processed."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/EsotericSoftware"}, {"url": "https://contrastsecurity.com"}, {"url": "https://github.com/Contrast-Security-OSS/yamlbeans/blob/main/SECURITY.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:03:18.917Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/EsotericSoftware", "tags": ["x_transferred"]}, {"url": "https://contrastsecurity.com", "tags": ["x_transferred"]}, {"url": "https://github.com/Contrast-Security-OSS/yamlbeans/blob/main/SECURITY.md", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-02T18:05:42.900413Z", "id": "CVE-2023-24621", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-02T18:06:24.584Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/EsotericSoftware", "tags": ["x_transferred"]}, {"url": "https://contrastsecurity.com", "tags": ["x_transferred"]}, {"url": "https://github.com/Contrast-Security-OSS/yamlbeans/blob/main/SECURITY.md", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:03:18.917Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-24621", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-10-02T18:05:42.900413Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-02T18:05:47.555Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/EsotericSoftware"}, {"url": "https://contrastsecurity.com"}, {"url": "https://github.com/Contrast-Security-OSS/yamlbeans/blob/main/SECURITY.md"}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Esoteric YamlBeans through 1.15. It allows untrusted deserialisation to Java classes by default, where the data and class are controlled by the author of the YAML document being processed."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-08-25T19:49:52.308018"}}}, "cveMetadata": {"cveId": "CVE-2023-24621", "state": "PUBLISHED", "dateUpdated": "2024-10-02T18:06:24.584Z", "dateReserved": "2023-01-30T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2023-08-25T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:esotericsoftware:yamlbeans:*:*:*:*:*:*:*:*", "matchCriteriaId": "AA60B6AE-695A-4791-88C5-576BDEEA4FE4", "versionEndIncluding": "1.15", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Esoteric YamlBeans through 1.15. It allows untrusted deserialisation to Java classes by default, where the data and class are controlled by the author of the YAML document being processed."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en YamlBeans de Esoteric a trav\u00e9s de 1.15. Permite la deserializaci\u00f3n no confiable a clases Java de forma predeterminada, donde los datos y la clase son controlados por el autor del documento YAML que se est\u00e1 procesando.\n"}], "id": "CVE-2023-24621", "lastModified": "2024-11-21T07:48:14.927", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-08-25T20:15:07.983", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://contrastsecurity.com"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/Contrast-Security-OSS/yamlbeans/blob/main/SECURITY.md"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/EsotericSoftware"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://contrastsecurity.com"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/Contrast-Security-OSS/yamlbeans/blob/main/SECURITY.md"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/EsotericSoftware"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}