Skip to content

Unsafe YAML deserialization in Ruby Client

Moderate
CEHENKLE published GHSA-977c-63xq-cgw3 Jun 30, 2022

Package

bundler opensearch-ruby (RubyGems)

Affected versions

< 2.0.2

Patched versions

2.0.2

Description

Impact

A YAML deserialization in opensearch-ruby 2.0.0 can lead to unsafe deserialization using YAML.load if the response is of type YAML.

Patches

The problem has been patched in opensearch-ruby gem version 2.0.2.

Workarounds

No viable workaround. Please upgrade to 2.0.2

References

#77
https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated/

For more information

If you have any questions or comments about this advisory:

Severity

Moderate

CVE ID

CVE-2022-31115

Weaknesses