CVE-2022-31115

opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. In versions prior to 2.0.1 the ruby `YAML.load` function was used instead of `YAML.safe_load`. As a result opensearch-ruby 2.0.0 and prior can lead to unsafe deserialization using YAML.load if the response is of type YAML. An attacker must be in control of an opensearch server and convince the victim to connect to it in order to exploit this vulnerability. The problem has been patched in opensearch-ruby gem version 2.0.1. Users are advised to upgrade. There are no known workarounds for this issue.
Configurations

Configuration 1 (hide)

cpe:2.3:a:amazon:opensearch:*:*:*:*:*:ruby:*:*

History

25 Jul 2022, 09:34

Type Values Removed Values Added
CPE cpe:2.3:a:opensearch:opensearch:*:*:*:*:*:ruby:*:* cpe:2.3:a:amazon:opensearch:*:*:*:*:*:ruby:*:*
First Time Amazon opensearch
Amazon

12 Jul 2022, 16:23

Type Values Removed Values Added
References (MISC) https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated/ - (MISC) https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated/ - Exploit, Third Party Advisory
References (MISC) https://github.com/opensearch-project/opensearch-ruby/pull/77 - (MISC) https://github.com/opensearch-project/opensearch-ruby/pull/77 - Patch, Third Party Advisory
References (CONFIRM) https://github.com/opensearch-project/opensearch-ruby/security/advisories/GHSA-977c-63xq-cgw3 - (CONFIRM) https://github.com/opensearch-project/opensearch-ruby/security/advisories/GHSA-977c-63xq-cgw3 - Third Party Advisory
First Time Opensearch
Opensearch opensearch
CVSS v2 : unknown
v3 : unknown
v2 : 6.8
v3 : 8.8
CPE cpe:2.3:a:opensearch:opensearch:*:*:*:*:*:ruby:*:*

30 Jun 2022, 22:15

Type Values Removed Values Added
New CVE

Information

Published : 2022-06-30 22:15

Updated : 2023-12-10 14:22


NVD link : CVE-2022-31115

Mitre link : CVE-2022-31115

CVE.ORG link : CVE-2022-31115


JSON object : View

Products Affected

amazon

  • opensearch
CWE
CWE-502

Deserialization of Untrusted Data