Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

WS-2019-0063

Good to know:

icon
icon

Date: April 5, 2019

Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.

Language: Java

Severity Score

Related Resources (5)

https://github.com/nodeca/js-yaml/pull/480
https://github.com/nodeca/js-yaml/commit/b2f9e882397660da37c5c5bb92e8ccc7bb9eb668
https://www.mend.io/resources/blog/top-security-open-source-vulnerabilities
https://www.mend.io/vulnerability-database/WS-2019-0063
https://www.mend.io/resources/blog/top-5-open-source-vulnerabilities-for-april-2019

Severity Score

Weakness Type (CWE)

Code

CWE-17

Improper Control of Generation of Code ('Code Injection')

CWE-94

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-74

Top Fix

icon

Upgrade Version

Upgrade to version dotnetng.template - 1.0.0.4;xenomedia/xeno-base - no_fix;xenomedia/xeno-base - 0.0.1;humanmade/coding-standards - v0.4.2;humanmade/coding-standards - dev-dependabot/npm_and_yarn/json-schema-0.4.0;ymcatwincities/openy-cibox-vm - dev-snyk-fix-d3e304fdb18d8e743e047d064f2eeebe;ymcatwincities/openy-cibox-vm - dev-snyk-fix-5c35a6fcce9a99be5f2075759c8a3425;ymcatwincities/openy-cibox-vm - dev-snyk-fix-84e446cbc8aa1506ed55902e1b08c080;ymcatwincities/openy-cibox-vm - no_fix;ymcatwincities/openy-cibox-vm - dev-snyk-fix-45a393004964497d68443389076d755a;AngularJsTypeScriptBase - no_fix;kraenkvisuell/nova-cms-media - v1.0.3;kraenkvisuell/nova-cms-media - v1.2.2;kraenkvisuell/nova-cms-media - no_fix;narirock/marrs-catalog - no_fix;Dianoga - 3.0.0-RC02;Dianoga - 4.0.0;timoetting/kirby-builder - v2.0.2;timoetting/kirby-builder - v2.0.3;timoetting/kirby-builder - v2.0.0;ears - 0.3.4;Raml.Parser - 1.0.7;tikiwiki/diagram - v6.5.7;Indianadavy.VueJsWebAPITemplate.CSharp - 1.0.1;kzima/slimbone - no_fix;PWPTemplateCMS - no_fix;humanmade/workflows - 0.4.8-rc.1;humanmade/workflows - dev-master;Fable.Template.Elmish.React - 0.1.6;Bower - no_fix;seidemann-web/wave-theme - dev-omage-theme;seidemann-web/wave-theme - dev-WT-36/Sticky-Header-Fixes;seidemann-web/wave-theme - no_fix;seidemann-web/wave-theme - dev-fixUpLanguageConstants;VueTemplate - no_fix;adrexia/silverstripe-gumby-theme - 2;Ncapsulate.Grunt.Shadow - no_fix;virhi/admin-bundle - 0.2.0;NougatUI - 1.0.1;dreamfactory/df-api-docs-ui - 1.1.0;archambaultalex/image-field - no_fix;adrexia/flowchart - no_fix;genenotebook - 0.1.16;Yeoman - no_fix;AntData.ORM - 1.2.9;computerundsound/curserver - 2.2.0;computerundsound/curserver - no_fix;Ncapsulate.Grunt - no_fix;miljoen/nova-autofill - no_fix;miljoen/nova-autofill - v1.0.0;oburatongoi/productivity - 0.0.13;oburatongoi/productivity - 0.0.1;oburatongoi/productivity - no_fix;hillelcoren/invoice-ninja - dev-dependabot/npm_and_yarn/axios-1.6.0;hillelcoren/invoice-ninja - dev-dependabot/npm_and_yarn/follow-redirects-1.15.4;bccampus/rest-routes - 1.0.3;Romano.Vue - 1.0.1;opichon/autotabs - 2.0.11;adrexia/silverstripe-pure - no_fix;chrisbraybrooke/laravel-ecommerce - 0.0.2;chrisbraybrooke/laravel-ecommerce - 0.0.17;chrisbraybrooke/laravel-ecommerce - dev-form-field-key;chrisbraybrooke/laravel-ecommerce - 0.0.56;zymawy/ironside-core - dev-utils;Sheelersoft.AngularTemplate - no_fix;EntityFramework.LookupTables - 1.1.14.119;awema-pl/module-psmoduler - v1.0.4;Yarnpkg.Yarn - 0.26.1;triawarman/yii2-richfilemanager - v0.1;redkite-labs/redkite-cms - v2.0.0-alpha;redkite-labs/redkite-cms - 1.1.x-dev;tslint - 5.17.0;kayrules/solatjakim-api-site - dev-version-1.0;tyler-zou/phpgame - no_fix;frankyframework/franky2 - no_fix;trezebits/trezevel-gallery - no_fix;Sheeler.AngularTemplate - no_fix;ilhanet/erpnet-widget-resource - no_fix;scancode/portal-module - v0.0.22;scancode/portal-module - v1.0.1;adamstyperek/base.symfony.crud - no_fix;grunt - no_fix;NorDroN.AngularTemplate - 0.1.6;astest - no_fix;sombrerodepaja/franky-skeleton-application - no_fix;svg2png - no_fix;MIDIator.WebClient - 1.0.105;i-saad-salman/statamic-analytics - no_fix;gheb/nn - dev-master;jadu/pulsar - 1.0.16;js-yaml - 3.13.1;los/losui - 1.0.15;efecanaltay/hello-world - no_fix;jsdom - 11.11.0;pwptemplatepusintek - no_fix;oxid-esales/wave-theme - dev-oxscript-google-analytics;lukesnowden/application-base - no_fix;gmo/common - v1.29.0;Ncapsulate.Bower - no_fix;gudwin/faid - 0.8.0;ng-grid - 2.0.4;limefamily/yii2-limetheme - 1.0.12;KarmaNodeModules - no_fix;org.webjars.npm:kyleshockey__js-yaml:no_fix;org.webjars.npm:js-yaml:3.13.1;org.webjars.bower:FlipClock:no_fix;org.webjars:browser-sync:no_fix;org.webjars.bower:jsonpath-object-transform:no_fix;org.webjars.npm:floatthead:2.0.3

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

Do you need more information?

Contact Us