CVE-2023-24621: Esoteric YamlBeans Unsafe Deserialization vulnerability

August 25, 2023

An issue was discovered in Esoteric YamlBeans through 1.15. It allows untrusted deserialisation to Java classes by default, where the data and class are controlled by the author of the YAML document being processed.

References

github.com/Contrast-Security-OSS/yamlbeans/blob/main/SECURITY.md
github.com/advisories/GHSA-jm7r-4pg6-gf26
nvd.nist.gov/vuln/detail/CVE-2023-24621

Detect and mitigate CVE-2023-24621 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →