Impact
What kind of vulnerability is it? Deserialization of Untrusted Data
Who is impacted? Anyone running cwlviewer older than f6066f0 (dated 2021-09-30)
Patches
Patched in f6066f0 , released as part of cwlviewer v1.4
The instance at https://view.commonwl.org has been updated as well
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading? No. The SnakeYaml constructor, by default, allows any data to be parsed. To fix the issue the object needs to be created with a SafeConstructor object, as seen in the patch.
References
Are there any links users can visit to find out more? Analysis of the SnakeYaml deserialization in Java Security
For more information
If you have any questions or comments about this advisory:
kinow Analyst
Impact
What kind of vulnerability is it? Deserialization of Untrusted Data
Who is impacted? Anyone running cwlviewer older than f6066f0 (dated 2021-09-30)
Patches
Patched in f6066f0 , released as part of cwlviewer v1.4
The instance at https://view.commonwl.org has been updated as well
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading? No. The SnakeYaml constructor, by default, allows any data to be parsed. To fix the issue the object needs to be created with a
SafeConstructorobject, as seen in the patch.References
Are there any links users can visit to find out more? Analysis of the SnakeYaml deserialization in Java Security
For more information
If you have any questions or comments about this advisory: