CVE-2018-1051 - OpenCVE

It was found that the fix for CVE-2016-9606 in versions 3.0.22 and 3.1.2 was incomplete and Yaml unmarshalling in Resteasy is still possible via `Yaml.load()` in YamlProvider.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Redhat	Resteasy

Configuration 1 [-]

OR	cpe:2.3:a:redhat:resteasy:3.0.22:::::::*
	cpe:2.3:a:redhat:resteasy:3.1.2:::::::*

No data.

References

Link	Providers
https://bugzilla.redhat.com/show_bug.cgi?id=1535411
https://nvd.nist.gov/vuln/detail/CVE-2018-1051
https://www.cve.org/CVERecord?id=CVE-2018-1051

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2018-01-25T20:00:00Z

Updated: 2024-08-05T03:44:11.805Z

Reserved: 2017-12-04T00:00:00

Link: CVE-2018-1051

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-01-25T20:29:00.307

Modified: 2019-10-09T23:38:00.583

Link: CVE-2018-1051

Redhat

Severity : Moderate

Publid Date: 2018-01-18T00:00:00Z

Links: CVE-2018-1051 - Bugzilla

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:resteasy:3.0.22:*:*:*:*:*:*:*", "matchCriteriaId": "FBFB466F-5DE9-409D-9228-21D7EA23AC08", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:resteasy:3.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "4E64FFCE-4AB8-4D1A-BAC7-D4AD26391478", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "It was found that the fix for CVE-2016-9606 in versions 3.0.22 and 3.1.2 was incomplete and Yaml unmarshalling in Resteasy is still possible via `Yaml.load()` in YamlProvider."}, {"lang": "es", "value": "Se descubri\u00f3 que la soluci\u00f3n para CVE-2016-9606 en las versiones 3.0.22 y 3.1.2 era incompleta y sigue siendo posible deserializar Yaml en Resteasy mediante la funci\u00f3n Yaml.load() en YamlProvider."}], "id": "CVE-2018-1051", "lastModified": "2019-10-09T23:38:00.583", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-01-25T20:29:00.307", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1535411"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Rui Chong (Baidu) for reporting this issue.", "bugzilla": {"description": "resteasy: Unsafe unmarshalling in YamlProvider allows code execution", "id": "1535411", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1535411"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-20", "details": ["It was found that the fix for CVE-2016-9606 in versions 3.0.22 and 3.1.2 was incomplete and Yaml unmarshalling in Resteasy is still possible via `Yaml.load()` in YamlProvider."], "mitigation": {"lang": "en:us", "value": "If the YamlProvider is enabled it's recommended to add authentication, and authorization to the endpoint expecting Yaml content to prevent exploitation of this vulnerability."}, "name": "CVE-2018-1051", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:6", "fix_state": "Not affected", "package_name": "resteasy", "product_name": "Red Hat BPM Suite 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "resteasy-base", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "resteasy", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:6", "fix_state": "Not affected", "package_name": "resteasy", "product_name": "Red Hat JBoss BRMS 6"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:6", "fix_state": "Out of support scope", "package_name": "resteasy", "product_name": "Red Hat JBoss Data Grid 6"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Out of support scope", "package_name": "resteasy", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5", "fix_state": "Will not fix", "package_name": "resteasy", "product_name": "Red Hat JBoss Enterprise Application Platform 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Will not fix", "package_name": "resteasy", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Will not fix", "package_name": "resteasy", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Not affected", "package_name": "resteasy", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "resteasy", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:jboss_operations_network:3", "fix_state": "Not affected", "package_name": "resteasy", "product_name": "Red Hat JBoss Operations Network 3"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:6", "fix_state": "Out of support scope", "package_name": "resteasy", "product_name": "Red Hat JBoss Portal 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:5", "fix_state": "Out of support scope", "package_name": "resteasy", "product_name": "Red Hat JBoss SOA Platform 5"}, {"cpe": "cpe:/a:redhat:mobile_application_platform:4", "fix_state": "Not affected", "package_name": "millicore", "product_name": "Red Hat Mobile Application Platform 4"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Will not fix", "package_name": "resteasy", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Will not fix", "package_name": "resteasy", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:rhel_sam:1", "fix_state": "Will not fix", "package_name": "resteasy", "product_name": "Red Hat Subscription Asset Manager"}, {"cpe": "cpe:/o:redhat:rhev_hypervisor:4", "fix_state": "Will not fix", "package_name": "eap7-resteasy-yaml-provider", "product_name": "Red Hat Virtualization 4"}], "public_date": "2018-01-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-1051\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-1051"], "statement": "This issue only affects applications which have the YamlProvider explicitly enabled by adding or appending a file with the name 'META-INF/services/javax.ws.rs.ext.Providers' to your WAR, or JAR with the contents 'org.jboss.resteasy.plugins.providers.YamlProvider'\nresteasy-base as shipped in Red Hat Enterprise Linux 7 does not include YamlProvider.\nRed Hat Subscription Asset Manager version 1 is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates.\nThis issue affects the versions of resteasy as shipped with Red Hat Satellite version 6, however Satellite version 6 does not use the affected functionality. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue.\nFor additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", "threat_severity": "Moderate"}