ADVISORIES

• CVE-2022-31115 (NVD)
• GHSA-977c-63xq-cgw3
• Vendor Advisory

GEM

opensearch-ruby

SEVERITY

CVSS v3.x: 8.8 (High)

PATCHED VERSIONS

• >= 2.0.2

DESCRIPTION

Impact

A YAML deserialization in opensearch-ruby 2.0.0 can lead to unsafe deserialization using YAML.load if the response is of type YAML.

Patches

The problem has been patched in opensearch-ruby gem version 2.0.2.

Workarounds

No viable workaround. Please upgrade to 2.0.2

RELATED

• https://github.com/opensearch-project/opensearch-ruby/pull/77
• https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated/