Impact
What kind of vulnerability is it? Who is impacted?
parse_yaml() does not sanitise input, making it possible for the YAML parser to execute shell substitution commands. For example, this yaml will execute the curl in archive_path.
server:
ip: 127.0.0.1
port: 1935
app: sprout
key: winkle
archive_stream: true
archive_path: $(curl -s ifconfig.me/ip)
This example is not so harmful, but an attacker could use the technique to exfiltrate stream keys or worse.
Patches
Has the problem been patched? What versions should users upgrade to?
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
- Edit
parse_yaml() and add the following between the 2nd and 3rd sed
- Setting file permissions to only allow trusted users write access to the yaml configuration file may offer some mitigation.
References
Are there any links users can visit to find out more?
This issue was originally identified by Antonio Espinosa in the Stack Overflow thread which discussed a yaml parser implemented in a bash function using sed and awk.
Antonio also offered a modification to mitigate the issue:
flexiondotorg Remediation verifier
Impact
What kind of vulnerability is it? Who is impacted?
parse_yaml()does not sanitise input, making it possible for the YAML parser to execute shell substitution commands. For example, this yaml will execute thecurlinarchive_path.This example is not so harmful, but an attacker could use the technique to exfiltrate stream keys or worse.
Patches
Has the problem been patched? What versions should users upgrade to?
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
parse_yaml()and add the following between the 2nd and 3rdsedReferences
Are there any links users can visit to find out more?
This issue was originally identified by Antonio Espinosa in the Stack Overflow thread which discussed a yaml parser implemented in a bash function using
sedandawk.Antonio also offered a modification to mitigate the issue: