CVE-2023-39106: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

August 21, 2023 (updated August 31, 2023)

An issue in Nacos Group Nacos Spring Project v.1.1.1 and before allows a remote attacker to execute arbitrary code via the SnakeYamls Constructor() component.

References

github.com/advisories/GHSA-v6c8-pwhq-288m
github.com/nacos-group/nacos-spring-project/issues/314
nvd.nist.gov/vuln/detail/CVE-2023-39106

Detect and mitigate CVE-2023-39106 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →