Impact
A YAML deserialization in opensearch-ruby 2.0.0 can lead to unsafe deserialization using YAML.load if the response is of type YAML.
Patches
The problem has been patched in opensearch-ruby gem version 2.0.2.
Workarounds
No viable workaround. Please upgrade to 2.0.2
References
https://github.com/opensearch-project/opensearch-ruby/pull/77
https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated/
For more information
If you have any questions or comments about this advisory:
- Open an issue in opensearch-ruby
References
- https://github.com/opensearch-project/opensearch-ruby/security/advisories/GHSA-977c-63xq-cgw3
- https://nvd.nist.gov/vuln/detail/CVE-2022-31115
- https://github.com/opensearch-project/opensearch-ruby/pull/77
- https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated/
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/opensearch-ruby/CVE-2022-31115.yml
- https://github.com/advisories/GHSA-977c-63xq-cgw3