=====================================================================

                                  CERT-Renater

                      Note d'Information No. 2022/VULN239

_____________________________________________________________________

DATE                : 07/07/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running opensearch-ruby (RubyGem)
                             versions prior to 2.0.2.

=====================================================================
https://github.com/opensearch-project/opensearch-ruby/security/advisories/GHSA-977c-63xq-cgw3
_____________________________________________________________________

Unsafe YAML deserialization in Ruby Client
Moderate
CEHENKLE published GHSA-977c-63xq-cgw3 7 days ago


Package
opensearch-ruby (RubyGems)

Affected versions
< 2.0.2

Patched versions
2.0.2


Description

Impact

A YAML deserialization in opensearch-ruby 2.0.0 can lead to unsafe
deserialization using YAML.load if the response is of type YAML.


Patches

The problem has been patched in opensearch-ruby gem version 2.0.2.


Workarounds

No viable workaround. Please upgrade to 2.0.2


References

#77
https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated/


For more information

If you have any questions or comments about this advisory:

     Open an issue in opensearch-ruby


Severity
Moderate

CVE ID
CVE-2022-31115

Weaknesses
CWE-502



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================