CVE-2023-34055
Code Execution vulnerability in spring-boot-actuator (Maven)
What is CVE-2023-34055 About?
Versions 2.0.4 and earlier of `js-yaml` are affected by a Code Execution vulnerability in its YAML deserializer. This flaw allows attackers to execute arbitrary code by supplying a specially crafted YAML input. Exploitation is straightforward if an application processes untrusted YAML using the vulnerable `.load()` method.
Affected Software
- org.springframework.boot:spring-boot-actuator
- <2.7.18
- >3.0.0, <3.0.13
- >3.1.0, <3.1.6
Technical Details
The vulnerability in js-yaml versions 2.0.4 and earlier is a code execution flaw within its YAML deserializer. Specifically, when the .load() method is used, it can process YAML tags such as !!js/function. An attacker can embed JavaScript code within such a tag in a YAML document. When this malicious YAML is deserialized by yaml.load(), the embedded JavaScript code is executed directly by the application, leading to arbitrary code execution. The provided proof of concept demonstrates injecting a !!js/function tag to execute console.log(1).
What is the Impact of CVE-2023-34055?
Successful exploitation may allow attackers to execute arbitrary code with the privileges of the affected application, leading to system compromise, data manipulation, or further attacks within the environment.
What is the Exploitability of CVE-2023-34055?
Exploitation requires the ability to provide a specially crafted YAML string to an application that uses the vulnerable js-yaml library's .load() method. This is of low complexity. There are no specific authentication or privilege requirements to trigger the vulnerability, as it typically exploits the application's core YAML parsing functionality. This is generally a remote vulnerability when the malicious YAML is provided over a network or through file uploads. The likelihood of exploitation is high in applications that accept and deserialize YAML input from external or untrusted sources without using the .safeLoad() method or robust input validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-34055?
Available Upgrade Options
- org.springframework.boot:spring-boot-actuator
- <2.7.18 → Upgrade to 2.7.18
- org.springframework.boot:spring-boot-actuator
- >3.0.0, <3.0.13 → Upgrade to 3.0.13
- org.springframework.boot:spring-boot-actuator
- >3.1.0, <3.1.6 → Upgrade to 3.1.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2023-34055
- https://security.netapp.com/advisory/ntap-20231221-0010/
- https://osv.dev/vulnerability/GHSA-jjfh-589g-3hjx
- https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-6226862
- https://security.netapp.com/advisory/ntap-20231221-0010
- https://spring.io/security/cve-2023-34055
- https://spring.io/security/cve-2023-34055
- https://github.com/spring-projects/spring-boot/commit/5490e73922b37a7f0bdde43eb318cb1038b45d60
- https://github.com/spring-projects/spring-boot
What are Similar Vulnerabilities to CVE-2023-34055?
Similar Vulnerabilities: CVE-2020-11104 , CVE-2020-15228 , CVE-2020-25807 , CVE-2019-10748 , CVE-2017-16003
