Unsafe YAML deserialization in opensearch-ruby
Published: July 05, 2022
SECURITY IDENTIFIERS
- CVE: CVE-2022-31115 (NVD)
- GHSA: GHSA-977c-63xq-cgw3
- Vendor Advisory: https://github.com/opensearch-project/opensearch-ruby/security/advisories/GHSA-977c-63xq-cgw3
GEM
SEVERITY
CVSS v3.x: 8.8 (High)
PATCHED VERSIONS
>= 2.0.2
DESCRIPTION
Impact
A YAML deserialization in opensearch-ruby 2.0.0 can lead to unsafe deserialization using YAML.load if the response is of type YAML.
Patches
The problem has been patched in opensearch-ruby gem version 2.0.2.
Workarounds
No viable workaround. Please upgrade to 2.0.2