Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/mbadanoiu/cve-2021-46364

CVE-2021-46364: YAML Deserialization in Magnolia CMS
https://github.com/mbadanoiu/cve-2021-46364

cve cve-2021-46364 cves

Last synced: 2 days ago
JSON representation

CVE-2021-46364: YAML Deserialization in Magnolia CMS

Host: GitHub
URL: https://github.com/mbadanoiu/cve-2021-46364
Owner: mbadanoiu
Created: 2023-11-23T22:37:01.000Z (12 months ago)
Default Branch: main
Last Pushed: 2023-11-23T22:42:47.000Z (12 months ago)
Last Synced: 2023-11-24T00:29:44.398Z (12 months ago)
Topics: cve, cve-2021-46364, cves
Homepage:
Size: 363 KB
Stars: 0
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# CVE-2021-46364: YAML Deserialization in Magnolia CMS

Magnolia (versions <=6.2.3) has a Snake YAML parser which is vulnerable to deserialization attacks that can allow an attacker to call arbitrary Java constructors when importing YAML files.

Remote Code Execution has been achieved using this vulnerability.

### Vendor Disclosure:

The vendor's disclosure and fix for this vulnerability can be found [here](https://docs.magnolia-cms.com/product-docs/6.2/Releases/Release-notes-for-Magnolia-CMS-6.2.4.html#_security_advisory).

### Requirements:

This vulnerability requires:

- Valid user credentials

### Proof Of Concept:
More details and the exploitation process can be found in this [PDF](https://github.com/mbadanoiu/CVE-2021-46364/blob/main/Magnolia%20CMS%20-%20CVE-2021-46364.pdf).