CVE-2018-1051

HIGH

Redhat Resteasy < 3.0.26.Final - Insecure Deserialization

Title source: rule

Description

It was found that the fix for CVE-2016-9606 in versions 3.0.22 and 3.1.2 was incomplete and Yaml unmarshalling in Resteasy is still possible via `Yaml.load()` in YamlProvider.

References (1)

[Issue Tracking, Vendor Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=1535411

Scores

CVSS v3 8.1

EPSS 0.0069

EPSS Percentile 71.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502 CWE-20

Status published

Affected Products (3)

redhat/resteasy

org.jboss.resteasy/resteasy-yaml-provider < 3.0.26.FinalMaven

Timeline

Published Jan 25, 2018

Tracked Since Feb 18, 2026